Provably Secure Convertible Undeniable Signatures with Unambiguity Le Trieu Phong1 , Kaoru Kurosawa2 , and Wakaha Ogata3 1

NICT, Japan, [email protected] Ibaraki University, Japan, [email protected] Tokyo Institute of Technology, Japan, [email protected] 2

3

Abstract. This paper shows some efficient and provably-secure convertible undeniable signature schemes (with both selective conversion and all conversion), in the standard model and discrete logarithm setting. They further satisfy unambiguity, which is traditionally required for anonymous signatures. Briefly, unambiguity means that it is hard to generate a (message, signature) pair which is valid for two different public-keys. In other words, our schemes can be viewed as anonymous signature schemes as well as convertible undeniable signature schemes. Besides other applications, we show that such schemes are very suitable for anonymous auction.

Keywords: Undeniable signatures, selective/all conversion, anonymous signatures, discrete logarithm, standard model.

1 1.1

Introduction Background

Undeniable Signatures. Almost twenty years ago, Chaum and van Antwerpen [11] introduced the concept of undeniable signature (US) scheme, where a signature is not publicly verifiable, which is in contrast to ordinary signature schemes. The verification of an undeniable signature requires the cooperation of the signer through the zero-knowledge confirmation protocol (for validity of signatures) and zero-knowledge disavowal protocol (for invalidity of signatures). A mandatory property of a US scheme thus is invisibility, namely without interacting with the signer, it is hard to decide whether a signature is valid or not. Also, it is worth noting that either the confirmation or disavowal protocol must be successful if the signer is honest; and the case both protocols fail formally implies that the signer is not cooperating (or cheating). Undeniable signature is useful when we sign on sensitive data such as software [5], electronic cash [6, 12, 35], confidential business agreement [13]. There have been a wide range of research on the concept [5, 10, 13, 19, 24–31, 40], to list just a few. Most of the papers are in the random oracle model, with (even arbitrary) short signatures [30], or extensive security consideration of a classical scheme

[31]. In the standard model, the first efficient proposal is that of Laguillaumie and Vergnaud [28] (but relying on a non-standard and strong assumption for invisibility). In order to link undeniable signature to regular signature, Boyar et al [5] proposed the concept of conversion. In all conversion, the signer releases a piece of information so that all issued undeniable signatures can be publicly-verifiable. In selective conversion, the signer publishes a piece of information so that a single undeniable signature is publicly-verifiable. The paper [5] gave a generic construction of US scheme with selective and all conversion from one-way function, but the construction is not practical. Note that selectively-convertible undeniable signature schemes play a central role in fair payment protocols [6], so the more efficient the former is, the more practical the latter can be realized. For more applications, the readers may find in [5, 13]. We also note that the above mentioned work of Laguillaumie and Vergnaud [28], while producing very short signatures (of about 170 bits), does not support any kinds of conversion. In an attempt to realize practical US schemes with conversions, Damgard and Pedersen [13] proposed two dlog-based schemes, but they could not formally prove the invisibility of their schemes, and just conjectured on it. Recently, another attempt was made by Yuen et al [40] using pairings, but their scheme suffers from a big (exponential) loss factor in security reduction, so that the signer is only able to produce very few (less than 128) signatures. The scheme in [40] is claimed to satisfy invisibility, but in Appendix A, we point out that the claim is incorrect. More recently, El Aimani [14] proposed some generic approaches for building efficient undeniable signature schemes, but with no selective conversion. In the full version [17] of [14], El Aimani claims selective conversion property, but we observe that the claim is correct only if the signer is honest. However, there exists no convertible undeniable signature scheme which satisfies unambiguity which will be explained below. Anonymous Signatures. The concept is proposed by Yang et al [39] (at PKC ’06), and has further study in [1,18,36,41]. Anonymous signatures and undeniable signatures share the same goal of ensuring anonymity (implied by invisibility in this paper) by not revealing the link between signatures and public-keys. However, compared to undeniable signature schemes, anonymous signature schemes do not necessarily have confirmation/disavowal protocols; and yet they have one more security notion called unambiguity. To explain more about anonymous signatures, let us recall its typical application suggested in all previous works, which is anonymous auction where Alice (with pkA ) wishes to place a bid with value bidA . She wants to be able to claim the bid as hers in case it wins, but otherwise wishes to remain anonymous. The natural solution is to provide, at bidding time, the values bidA , pkA , as well as her anonymous signature of bidA . Later, when the result is announced, and if Alice has won, she can release the relevant opening information to claim her bid. We however observe that the above usage of anonymous signatures in auction may cause trouble, which is overlooked by previous works. Imagine a situation in which Alice has won, but refuses to provide the opening information. The

natural solution for the auctioneer is to choose the second-highest bidB of Bob as the winning bid. The real trouble now is that, if Alice and Bob cooperate, they will win every auction! Alice places the highest bid just after Bob, and then refuses to open her signature on the bid, so that Bob will be the winner. This is clearly unfair to other players in the auction. All existing works on anonymous signatures have not noticed the situation that either the winner refuses to open, or there is cooperation between two users4 . To overcome the above trouble, we then suggest that one should use undeniable signature schemes with selective conversion in anonymous auction, provided that they meet all security notions of anonymous signatures. Alice then cannot deny her signature of the bid anymore, since the auctioneer can execute the confirmation and disavowal protocols to check. Let us now explain the unambiguity notion [1] (aka, unpretendability [36]). It intuitively ensures that if Alice has won, and releases the opening information to claim her bid, then no one else can claim that bid. Previously, unambiguity was not considered as a security notion for undeniable signature schemes. However, to serve in the context of anonymous auction as we suggested above, undeniable signature schemes must satisfy unambiguity. 1.2

Our contribution

We propose two convertible undeniable signature schemes satisfying anonymity, called SCUS1 and SCUS2 . They have the following properties. – The schemes support both selective and all conversion. Moreover, they enjoy formally-proven security in the standard model, relying on the strong DiffieHellman (sDH) and the decision linear (DLIN) assumption. Their confirmation and disavowal protocols are of (minimal) four moves5 . – The signature size is about 70 + 3 · |q| (resp, 4 · |q|) bits for SCUS1 (resp, SCUS2 ) where |q| ≈ 170. The piece of information for all conversion is of 2·|q| bits for both schemes. For each selective conversion, the piece of information is also 2·|q| bits if we accept stateful signers; otherwise, we employ the NIZK proof of Groth and Sahai [21], and need to release a few more bits. – Both SCUS1 and SCUS2 additionally meet the unambiguity notion, under the discrete log assumption. Therefore, they can be used in anonymous auction to detect the winner in case she refuses to open (namely, convert) her signature. 4

5

Interestingly, we find that what we discuss for anonymous auction still applies in principle to Yahoo auction in Yapan. Namely, in the Yahoo auction, if two identities (e.g., of one person) cooperate in the way we have described, they will have advantages over ones proceeding honestly. The point is in the Yahoo auction, the winning identity can easily deny contacting the seller for paying process, making the seller to choose the identity with second-highest bid as the winner. We remark that the 3-move scheme of Kurosawa and Heng [25] is insecure, as shown by Ogata et al in [31] (Sect.V.D, page 2013), who furthermore point out that any 3-move (HVZK) confirmation/disavowal protocols are not secure against active attacks.

It is worth noting that it is unknown whether previous undeniable signature schemes with selective conversion have this additional property. Above, the scheme SCUS1 produces shorter signatures than SCUS2 , but the public key of SCUS1 (of 170 · |q| bits) is much longer than that of SCUS2 (of 12 · |q| bits). Choosing which one to use thus depends on specific applications. Let us now look at the ways to obtain the above results. We first focus on the ideas behind SCUS1 . Sign-then-Encrypt Paradigm. We re-utilize an elegant paradigm introduced by Damgard and Pedersen [13] in which the undeniable signature σ of a message m is of the form σ = Encryptpk2 (Signsk1 (m)), where Encrypt and Sign are respectively some regular encryption and signature scheme. For all conversion, the signer publishes the secret key sk2 of the encryption scheme, so that everyone can decrypt σ to get the regular signature Signsk1 (m) and then check its validity. For selective conversion, the signer releases the regular signature Signsk1 (m). Some difficulties when using the above paradigm are: (1) designing efficient zero-knowledge confirmation and disavowal protocols, (2) proving the invisibility of the designed scheme, and (3) releasing Signsk1 (m) in a provable way (that it is the signature encrypted in σ). Damgard and Pedersen [13] have overcome (1) but not (2). For (3), they suggested a method of storing all randomness previously used in signing. We suggest another method by using the efficient NIZK proof of Groth and Sahai [21], as seen later. To overcome (1) (and (3) in an efficient way), one needs to properly choose simple (but-secure-enough) ingredients. To design SCUS1 , we choose the Generic Bilinear Map (GBM) signature [22] and the linear encryption [3] (LE) scheme. A GBM signature on m is of the form (s, ρ = H(m)1/(x+s) ) for a random s, a standard model hash function H and the secret key sk1 = x. We use the LE scheme to encrypt ρ in the ciphertext (u1 = g1r1 , u2 = g2r2 , u3 = ρ · g r1 +r2 ) for randomness r1 , r2 . The undeniable signature σ = (s, u1 , u2 , u3 ). Intuitively, σ seems random-like, unrelated to m, (and thus invisible) because s is random and (u1 , u2 , u3 ) is random-like under the decision linear assumption. However, the scheme is in fact not invisible. The reason is in the malleability of LE scheme. In particular, if σ = (s, u1 , u2 , u3 ) is valid on a message m (resp, σ is random), then σ 0 = (s, u1 g1α , u2 g2β , u3 g α+β ) is also valid on m (resp, σ 0 is random) for adversarily-chosen randomness α and β. The fact causes a simple attack on the invisibility of (m, σ) as follows: the adversary first asks the signer for converting (m, σ 0 ), so that it knows the validity of the pair, and hence it also is aware of whether the corresponding (m, σ) is valid. (See Definition 3 for a formal definition on invisibility, which also contains some new insights.) Fortunately, we can overcome the above attack as follows: we authenticate the randomness r1 , r2 by signing on u1 and u2 . In our proposed SCUS1 scheme (in Sect.4), the values (u1 = g1r1 , u2 = g2r2 ) are generated first, then the GBM signature on m, u1 , u2 is created: s, ρ = H(m k u1 k u2 )1/(x+s) . After all, set u3 = ρ · g r1 +r2 and let the undeniable signature σ = (s, u1 , u2 , u3 ). With the authentication on the randomness, the adversarily-formed σ 0 above becomes

invalid regardless of whether σ is valid on m, so that the validity of σ 0 cannot be used to decide that of σ. We succeed in proving the invisibility of our proposed scheme in Theorem 6. On Confirmation and Disavowal Protocol. Now we give ideas on constructing the confirmation and disavowal protocol for SCUS1 . To confirm m, σ = (s, u1 , u2 , u3 ) , the signer needs to prove for secrets x1 (= dlogg1 g), x2 (= dlogg2 g), and x: 1 u3 = H(m k u1 k u2 ) x+s . ux1 1 ux2 2 Namely, the LE decryption of (u1 , u2 , u3 ) gives the GBM signature on m, u1 , u2 . Or equivalently, −x1 (x+s)

ux3 · u1

−x2 (x+s)

· u2

= H(m k u1 k u2 ) · u−s 3 ,

which is a proof of representation of public value H(m k u1 k u2 ) · u−s 3 , and can be realized by standard techniques, using constant moves. Now we turn to the disavowal protocol. Given m, σ = (s, u1 , u2 , u3 ) , the signer needs to prove for secrets x1 , x2 , x: u3 x1 x2 u1 u2

1

6= H(m k u1 k u2 ) x+s ,

or equivalently, −x1 (x+s)

ux+s · u1 3

−x2 (x+s)

· u2

· H(m k u1 k u2 )−1 6= 1. $

Employing the technique of Camenisch and Shoup [9], we choose r ← Zq and set −x1 (x+s)

U = ux+s · u1 3

−x2 (x+s)

· u2

r · H(m k u1 k u2 )−1 .

The signer sends U to the verifier, who checks that U 6= 1. Then both execute a proof of representation of U , where the signer holds the secrets r, x, x1 , x2 . The zero-knowledge protocol can also be accomplished via standard techniques, also using constant moves. Moreover, since we will work on a pairing group, the disavowal protocol can be made non-interactive, again thanks to the NIZK proof of Groth-Sahai [21], interestingly yielding a way to efficiently “convert” (namely, make publicly-verifiable) even invalid signatures. More Schemes. The above ideas work well if we replace the GBM signature by 1/(x+H(m)+ys) the signature of Boneh and Boyen [2], which is of the form (s, g0 ) for random s ∈ Zq , g0 ∈ G, and secret signing key x, y. The replacement creates our SCUS2 described in Sect.5. Furthermore, in the random oracle model, one can use the BLS signature [4] so that the unforgeability of the resulting undeniable signature scheme relies on the CDH assumption in bilinear group. We do not explicitly consider the random oracle scheme in this paper. More Related Works. Subsequent to a preliminary version of this work [34] on the Eprint, Schuldt, Matsuura [38], and Huang, Wong [23] have suggested

some other schemes with interesting additional properties. Both works indicate that, if using NIZK proofs in undeniable signatures, the common reference string must be legitimately set up (say, by a trusted party like the CA in PKI). Unfortunately, the scheme of Huang and Wong [23] turned out not satisfying anonymity, as shown in [38]. The scheme of [38], while relying on a more standard assumption, produces longer signatures (or public keys) than the ones in this paper. Both works [23, 38] do not consider unambiguity. Independently with us, El Aimani [15] also discovered the usage of the NIZK of Groth and Sahai [21] in the context of confirmer signatures. The sign-thenencrypt approach is also used to build confirmer signatures in [16] in an abstract manner. As a trade-off to its generality, the construction in [16] has to employ the cut-and-choose technique for the confirmation and disavowal protocols, and hence the protocols are not of constant rounds (say, 80 rounds to reach 2−80 soundness error). In contrast, we take a concrete approach in this paper, resulting in schemes with minimal 4-round protocols. The above sign-then-encrypt paradigm has also been successfully re-used in [33] in the RSA-based setting, creating RSA-based US schemes supporting (selective and all) conversions, with signatures of (80 + 2 · 1024) bits, converters of 1024 bits, while the securities rely on the strong RSA assumption and the decisional N -th residuosity (DNR) assumption in the standard model. Note that the RSA-based schemes give longer signatures than dlog-based schemes, as usual.

2

Syntax and definitions

We begin with the syntax of selectively-convertible undeniable signature (SCUS for short) schemes. We focus on the syntax of schemes with selective conversion here and do not explicitly describe the syntax of all conversion since the latter is very simple in our proposals. Definition 1 (SCUS scheme) A selectively-convertible undeniable signature scheme SCUS = (KeyGen, Usign, Convert, Verify, Confirm, Disavowal) consists of four algorithms and two protocols whose descriptions are as follows. – KeyGen(1κ ) → (pk, sk): This algorithm generates the public key pk and the secret key (signing key) sk for user. – USign(sk, m) → σ: Using the secret key sk, this algorithm produces a signature σ on a message m. – Convert(sk, m, σ) → cvt/ ⊥: Using sk, this algorithm releases a converter cvt if the message-signature (m, σ) pair is valid, enabling everyone to check the validity of the pair. If the pair is invalid, the output of the algorithm is ⊥. 6 – Verify(pk, m, σ, cvt) → 0/1: Using the converter cvt, everyone can check the validity of (m, σ) by this algorithm. 6

Note that only valid undeniable signatures can be converted, and the signer has no responsibility to convert ill-formed ones. These properties are natural, and sufficient enough for application (e.g., [6]). However, we note in our proposed schemes, the signer can even “convert” invalid signatures by making the disavowal protocol noninteractive (via Groth-Sahai result [21], as seen later).

– Confirm: This is a protocol between the signer and a verifier, on common input (pk, m, σ), the signer with sk proves that (m, σ) is a valid message-signature pair in zero-knowledge. – Disavowal: This is a protocol between the signer and a verifier, on common input (pk, m, σ), the signer with sk proves that (m, σ) is an invalid messagesignature pair in zero-knowledge. Definition 2 (Unforgeability and strong unforgeability of SCUS) A selectively convertible undeniable signature scheme SCUS is said to be existential unforgeable under adaptive chosen message attack if no poly-time forger F has a non-negligible advantage in the following game: at the beginning, F is given the public key pk. Then F is permitted to issue a series of queries shown below. – Signing queries: F submits a message m to the signing oracle and receives a signature σ on m. These queries are adaptive, namely the next query can depend on the answers of previous ones. – Convert queries: F submits a message-signature pair (m, σ) to the convert oracle, and receives a converter cvt. These queries are also adaptive. – Confirmation/disavowal queries: F submits a message-signature pair of the form (m, σ) to the confirmation/disavowal oracle. We will consider active attack, where the oracle first checks the validity of (m, σ). If it is a valid pair, the oracle returns 1 and executes the confirmation protocol with F (acting as a cheating verifier). Otherwise, the oracle returns 0 and executes the disavowal protocol with F. At the end of the game, F outputs a pair (m∗ , σ ∗ ). In the definition of unforgeability, the forger F wins the game if the pair (m∗ , σ ∗ ) is a valid messagesignature pair, and m∗ has never been queried to the signing oracle. The advanorge tage of F is defined to be AdvfSCUS (F) = Pr[F wins]. In the definition of strong unforgeability, the only different point is that (m∗ , σ ∗ ) does not coincide with any (m, σ) at signing queries. We denote F’s advantage orge in this case by Advsf SCUS (F) = Pr[F wins]. The notion of invisibility intuitively ensures that no-one (without contacting the signer) can tell whether a message-signature pair is valid or not, and is formally given below. We note that this definition is new to this work. Definition 3 (Strong invisibility) A selectively-convertible undeniable signature scheme SCUS satisfies strong invisibility under adaptive chosen message attack if no poly-time distinguisher D has a non-negligible advantage in the following game. At first, KeyGen(1κ ) → (pk, sk), and then D is given the public key pk. Then D is permitted to issue a series of queries: signing queries, convert queries, confirmation/disavowal queries, as in Definition 2. At some point, D outputs an arbitrary message m∗ , and requests a challenge signature σ ∗ on m∗ . The challenge signature σ ∗ is generated based on a hidden bit b. If b = 0, then σ ∗ is generated as usual using the signing algorithm; otherwise σ ∗ is chosen randomly from the signature space of the scheme (which only depends on the security parameter κ, and not on pk, sk).

The distinguisher D may additionally issue signing queries, convert queries, confirmation/disavowal queries with the only restriction that no confirmation/disavowal query and convert query (m∗ , σ ∗ ) are allowed. At the end, D outputs a bit b0 as the guess for b. The distinguisher wins the game if and only if b0 = b and its advantage is defined as Advinv SCUS (D) = | Pr[b0 = b] − 1/2|. Remarks 1 Above, there are some subtleties. First, we do allow the distinguisher to submit convert queries of the form (m∗ , σ) with σ 6= σ ∗ . We clarify this point here for later use in Appendix A. Second, D can make signing query m∗ , even in multiple times, even before and after the challenge query. Intuitively, a scheme meeting the definition enables the signer to sign on the same message many times without any loss in invisibility, so that the scheme is very suitable and easy to use at least in licensing software, which is one of the main applications, where one piece of software may be signed many times. This second subtlety makes our definition differ from and stronger than previous ones (say, that of [31]). A scheme meeting the (weak) definition as in [31] can be turned into another one satisfying our definition by ensuring that the signing messages are pairwise different (via randomness, the time when signing, etc). Similarly to the second point above, we believe that strong unforgeability is very suitable for undeniable signature schemes, especially in the context of licensing software. Our proposals fortunately meet these strong notions of security. Another security notion for undeniable signatures is anonymity, intuitively ensuring that given a message-signature pair, it is hard to know who produces the pair. As pointed out in [19], invisibility implies anonymity if all signers share a common signature space, a condition fulfilled by our proposals. We thus focus on invisibility in the rest of this paper. Definition 4 (Standard signature schemes) A signature scheme S = (Kg, Sign, Vrf) is as follows. On input 1κ , the key generation algorithm Kg produces the public key pk and the secret signing key sk. On input sk and a message m, the signing algorithm Sign produces a signature σ, which is publicly-verifiable using the verification algorithm Vrf on input pk and σ. The unforgeability under chosen message attack (uf-cma security) of a signature scheme S is defined essentially the same as that of SCUS in Definition 2, except that the forger F against S only issues signing queries. We denote −cma the advantage of F by Advuf (F) = Pr[F wins]. The strong unforgeability S (suf-cma security) is defined in a similar manner and we have the advantage −cma Advsuf (F) = Pr[F wins]. S

3

Preliminaries

Pairing Group. We call PG = (G, GT , q = |G|, g, eˆ : G × G → GT ) a pairing group if G and GT are cyclic groups of prime order q, where the bit length

|q| = κ ≈ 170. The element g is a generator of G, and the mapping eˆ satisfies the following properties: eˆ(g, g) 6= 1, and eˆ(g a , g b ) = eˆ(g, g)ab . Dlog Assumption. The assumption claims that, given PG as above, and for all $ $ x poly-time adversary A, Advdlog G,PG (A) = Pr[h = g : g, h ← G; x ← A(g, h, PG)] is negligible. Decision Linear Assumption. Given a pairing group PG, the assumption, first formalized in [3], asserts that the following advantage of a poly-time adversary A is negligible in the security parameter κ. $ $ α, β, γ ← Zq ; g1 , g2 , g3 ← G; 1 0 $ dlin AdvG (A) = Pr b = b : T0 ← g3α+β ; T1 ← g3γ ; b ← {0, 1}; − . 2 $ b0 ← A(PG, g1 , g2 , g3 , g1α , g β , Tb ) 2

Known Dlog-Based ZKIP. We use known techniques for proving statements about discrete logarithms, such as (1) proof of knowledge of discrete logarithm [37]; (2) proof of knowledge of an element representation in a prime order group [32]; and the ∧ proof of (1) and (2). (The ∧ proof is easily designed by choosing the same challenge while asking the prover to prove both (1) and (2) in parallel.) These proofs need four moves to become zero-knowledge. When referring to the proofs above, we use the following kind of notation. For instance, PoK{(x1 , x2 ): y = g x1 ∧ U = ux1 1 ux2 2 } denotes a zero-knowledge proof of knowledge of x1 and x2 such that y = g x1 and U = ux1 1 ux2 2 . All values except (x1 , x2 ) are assumed to be known to the verifier. Known NIZK Proof. We utilize the non-interactive zero-knowledge (NIZK) X m proof for proving that a system of equations of the form g0 = Πj=1 gj j , over a group G (with pairing as above) is satisfiable, where Xj are variables and g0 , . . . , gm are constants in G. This is derived from the result of Groth and Sahai [21]. We will mention more about the NIZK proofs later.

4

Our proposed SCUS1

In this section, we describe our first selectively convertible undeniable signature (SCUS) scheme and analyze its securities. 4.1

Building blocks

We first need the following ingredients, which operate on a common pairing group PG = (G, GT , q = |G|, g, eˆ : G × G → GT ). The pairing group is implicitly included in the public keys of the following schemes. Generic Bilinear Map Signature Scheme GBM [22]. The signature scheme GBM = (GBM.Kg, GBM.Sign, GBM.Vrf) is briefly recalled with some minor modifications as follows.

$

GBM.Kg(1κ ): Generate x ← Zq , X ← g x , and H : {0, 1}∗ → G. Return the verifying key pk1 = (X, H, η) where η = 70 and the signing key sk1 = x. (The public key size |pk1 | ≈ 162 · log2 q bits, according to the estimation in [22], due to the concrete description of H.) 1

$

GBM.Sign(sk1 , m ∈ {0, 1}∗ ): s ← {0, 1}η , ρ ← H(m) x+s ∈ G. Return (s, ρ) ∈ {0, 1}η × G as the signature on m. GBM.Vrf pk1 , m, (s, ρ) : Check that (s, ρ) ∈ {0, 1}η × G and eˆ(ρ, X · g s ) = eˆ(H(m), g). Return 1 if all checks pass, else return 0. The signature scheme is known to be strongly unforgeable (suf-cma secure) under the strong Diffie-Hellman assumption. To be complete, the proof given in [22] is for the uf-cma case, but holds even for suf-cma security. Linear Encryption [3]. The linear encryption scheme LE= (LE.Kg, LE.Enc, LE.Dec) is as follows. $

LE.Kg(1κ ): Generate x1 , x2 ← Zq and set g1 ← g 1/x1 , g2 ← g 1/x2 . Return the public key pk2 = (g1 , g2 ) and the secret key sk2 = (x1 , x2 ). LE.Enc(pk2 , m ∈ G): Choose r1 , r2 ← Zq and set u1 ← g1r1 , u2 ← g2r2 , u3 ← m · g r1 +r2 . Return (u1 , u2 , u3 ) as the ciphertext of m. LE.Dec sk2 , (u1 , u2 , u3 ) : Return u3 /(ux1 1 ux2 2 ). $

The scheme is ind-cpa-secure under the decision linear assumption [3]. 4.2

The scheme SCUS1

The scheme is described as follows. KeyGen(1κ ): Run GBM.Kg(1κ ) and LE.Kg(1κ ) to get (pk1 , sk1 ) and (pk2 , sk2 ). Return the public key pk = (pk1 , pk2 ) and the signing key sk = (sk1 , sk2 ). USign(sk, m): First, generate r1 , r2 ← Zq , and set u1 ← g1r1 , u2 ← g2r2 , 1 $ and m = m k u1 k u2 . Next, sign on m to get s, ρ = H(m) x+s ← GBM.Sign(sk1 , m). Then, encrypt ρ in the ciphertext (u1 , u2 , u3 = ρ · g r1 +r2 ). Return the undeniable signature σ = (s, u1 , u2 , u3 ). $

Convert(sk, m, σ): Parse σ as (s, u1 , u2 , u3 ) ∈ {0, 1}η × G3 , and let ρ ← u3 /(ux1 1 ux2 2 ). If (s, ρ) is not a GBM signature on m k u1 k u2 then return ⊥. Otherwise, return the converter (ρ, π) ∈ G × G12 , where π is a NIZK proof proving (with secrets x1 , x2 ): g = g1x1 , g = g2x2 , u3 /ρ = ux1 1 ux2 2 .

(1)

Such a NIZK proof π can be efficiently created using the result of Groth and Sahai [21]. See Appendix B for the concrete description of π. Another method of converting, inspired by Damgard and Pedersen [13], is to store the randomness r1 , r2 used in signing and later release them as converter. Then, everyone can check u1 = g1r1 , u2 = g2r2 and compute ρ as u3 /g r1 +r2 .

To do all conversion, release sk2 = (x1 , x2 ) so that everyone can compute ρ = u3 /(ux1 1 ux2 2 ) and then check whether (s, ρ) is a valid GBM signature on m k u1 k u2 . Note that in this case, our proposal becomes a regular signature scheme equivalent to the GBM scheme. Verify(pk, m, σ, cvt): Parse σ as (s, u1 , u2 , u3 ) ∈ {0, 1}η ×G3 and cvt as (ρ, π) ∈ G × G12 . Return 1 (meaning, valid) if π is a valid proof of the equations (1), and (s, ρ) is a valid GBM signature on m k u1 k u2 . Otherwise return 0. (We omit details when cvt = (r1 , r2 ).) Confirm: On common input pk, (m, σ), the signer and the verifier execute n o PoK (x, a, b) : g1a = (Xg s )−1 ∧ g2b = (Xg s )−1 ∧ ux3 ua1 ub2 = H(m k u1 k u2 )u−s . 3 Intuitively, the equations first show that a = −x1 (x + s) and b = −x2 (x + s) where x = dlogg (X), x1 = dlogg1 g and x2 = dlogg2 g. With the values a, b, the final equation is equivalent to u3 /(ux1 1 ux2 2 ) = H(m k u1 k u2 )1/(x+s) . Since u1 , u2 ∈ G, a cyclic group, there exist r1 , r2 such that u1 = g1r1 and u2 = g2r2 , and thus ux1 1 = g r1 , ux2 2 = g r2 . Hence, u3 = H(m k g1r1 k g2r2 )1/(x+s) · g r1 +r2 , showing that σ = (s, u1 , u2 , u3 ) is indeed produced by USign on m. The zero-knowledge proof of knowledge can be implemented using known ZKIPs described in Sect. 3. In the above PoK, the signer must also prove the knowledge of the secret key corresponding to the public key, namely (x, x1 , x2 ) satisfying g x = X, g = g1x1 = g2x2 . We omit these types of conditions hereafter in all PoKs for clarity. Disavowal: On common input pk, (m, σ), the signer sends a value U 6= 1 to the verifier, and both execute n PoK (c, d, f, r) : g c (X −1 g −s )r = g1d (Xg s )r = g2f (Xg s )r = 1 o ∧ U = uc3 · ud1 · uf2 · H(m k u1 k u2 )−r . Intuitively, the equations of the first line give us c = r(x+s), d = −rx1 (x+s), and f = −rx2 (x + s). Substituting these values to the second line equation and noting that U 6= 1 show u3 /(ux1 1 ux2 2 ) 6= H(m k u1 k u2 )1/(x+s) , and thus (m, σ) is invalid. The disavowal protocol is also implemented using known ZKIPs or NIZK proof in Sect. 3. Note that the NIZK proof for the disavowal protocol gives a way to “convert” (namely, make publicly-verifiable) invalid signatures. Above, if the confirmation protocol fails, then the disavowal protocol is run. If both fails, we conclude that the signer is cheating (or not cooperating). We now consider securities of SCUS1 , which are ensured by the following theorems. Theorem 5 (Strong unforgeability) The proposed SCUS1 scheme is strongly unforgeable if the signature scheme GBM is suf-cma-secure. Moreover, given a forger F against SCUS1 , there exists another forger F 0 against the GBM signature scheme such that orge suf −cma Advsf (F 0 ), SCUS1 (F) ≤ AdvGBM

T(F 0 ) = O(qconf /dis ) · T(F), where qconf /dis is the total number of confirmation/disavowal queries F made, and T expresses the running time. Proof. Given in Appendix C. Theorem 6 (Strong invisibility) The SCUS1 scheme satisfies strong invisibility. Moreover, given a distinguisher D against SCUS1 , there exist an Adlin against the decision linear assumption, and a forger F against SCUS1 such that sf orge dlin Advinv SCUS1 (D) ≤ AdvG (Adlin ) + AdvSCUS1 (F),

T(Adlin ) = O(qconf /dis ) · T(D), and T(F) ≈ T(D), where T expresses the running time, and qconf /dis is the total number of confirmation/disavowal queries D makes. Proof. We proceed in games as follows. Game 0: This is exactly the definitional game as in Definition 3. Let Wi (i = 0, 1) be the event that the distinguisher D wins in Game i, we have Advinv SCUS1 (D) = Pr[W0 ] by definition. Game 1: This game is the same as Game 0, except that we consider the following distinguisher: D never issues a convert or confirmation/disavowal query (m, σ) satisfying (1) the pair is valid (namely, ⊥ or 0 was not returned), and (2) the pair is different from all previously-issued message-signature pairs at the signing oracle. Obviously, if D (in Game 0) issues the pair (m, σ) as above, then we can use (m, σ) as a forgery (in the strong sense) of the SCUS1 scheme. More precisely, we can use D to build a forger F against SCUS1 with T(F) ≈ T(D). Thus, Game 0 and Game 1 are indistinguishable thanks to the strong unforgeability of the scheme, and hence orge |Pr[W0 ] − Pr[W1 ]| ≤ Advsf SCUS1 (F).

Using the distinguisher D in Game 1, we now build an adversary Adlin against the decision linear assumption on G satisfying Pr[W1 ] ≤ Advdlin G (Adlin ). Note that sf orge Advinv SCUS1 (D) = Pr[W0 ] ≤ Pr[W1 ] + AdvSCUS1 (F) sf orge ≤ Advdlin G (Adlin ) + AdvSCUS1 (F),

which completes the proof. Thus the rest is devoted to constructing such Adlin . The input of Adlin is (PG, g1 , g2 , g, g1α , g2β , Tb ), where T0 = g α+β and T1 = g γ $ for α, β, γ ← Zq . The adversary Adlin itself sets up the keys for GBM signa$ ture scheme: sk1 = x ← Zq and pk1 = (g x , H, η = 70); and generates a simulated crs and a trapdoor t for the NIZK of the equations (1). Then Adlin

gives pk = (pk1 , g1 , g2 , crs) to D and begins to simulate the environment for the distinguisher as follows: $

$

– Signing query m: Adlin chooses the randomness r1 , r2 ← Zq and s ← {0, 1}η , and computes ρ ← H(m k u1 k u2 )1/(x+s) where u1 = g1r1 and u2 = g2r2 . It then lets u3 ← ρ · g r1 +r2 and returns σ = (s, u1 , u2 , u3 ) to D as the undeniable signature on m. The adversary Adlin internally keeps a record of the values ρ, and also lets Q ← Q ∪ {(m, σ)} for later use, where Q is an initially empty set of message-signature pairs appeared so far. – Convert query (m, σ): If (m, σ) ∈ Q then return the corresponding recorded ρ and a simulated NIZK proof πsim (of the equations (1)) produced by using the trapdoor t. If (m, σ) 6∈ Q then return ⊥ to D. The reasoning behind this simulation is that if (m, σ) 6∈ Q then the pair must be invalid since we are in Game 1. – Confirmation/disavowal query (m, σ): Like the simulation for convert query above, if (m, σ) ∈ Q then return 1 and run the confirmation protocol with D; otherwise return 0 and run the disavowal protocol. The protocols are simulatable using the rewinding technique [20] since they are zero-knowledge. – Challenge query m∗ : Let u∗1 ← g1α and u∗2 ← g2β . Choose s∗ ← {0, 1}η and ∗ then compute ρ∗ ← H(m∗ k u∗1 k u∗2 )1/(x+s ) and u∗3 ← ρ∗ · Tb . Return σ ∗ = (s∗ , u∗1 , u∗2 , u∗3 ) to D. Note that if b = 0 then Tb = T0 = g α+β , so that σ ∗ is a valid undeniable signature on m∗ . If b = 1 then Tb = T1 = g γ is a random value over G independent of the other values, so that σ ∗ is also randomly distributed over the signature space {0, 1}η × G3 . At the end, the distinguisher D outputs a bit b0 as a guess of the hidden bit b. The adversary Adlin in turn outputs b0 . The advantage of Adlin is exactly the probability D wins in Game 1, namely Advdlin G (Adlin ) = Pr[W1 ]. The running time of Adlin is O(qconf /dis ) times that of D due to the rewinding. $

5

Our proposed SCUS2

In this section, we describe our second scheme SCUS2 , which is also secure under the same assumptions as those of SCUS1 . The scheme SCUS2 uses the BonehBoyen [2] signature scheme as a component. We first recall the Boneh-Boyen signature scheme, basing on a pairing group PG = (G, GT , q = |G|, g, eˆ : G×G → GT ). Boneh-Boyen Signature Scheme. The (standard) signature scheme BB = (BB.Kg, BB.Sign, BB.Vrf) is as follows. $

$

BB.Kg(1κ ): Generate g0 ← G, x, y ← Zq , u ← g x , v ← g y , z = eˆ(g0 , g), and a target collision hash H : {0, 1}∗ → Zq . Return the verifying key pk1 = (g0 , u, v, z, H) and the signing key sk1 = (x, y). $

1

BB.Sign(sk1 , m): s ← Zq , ρ ← g0x+H(m)+ys ∈ G. Return (s, ρ) ∈ Zq × G as the signature on m.

BB.Vrf pk1 , m, (s, ρ) : Check that (s, ρ) ∈ Zq ×G and eˆ ρ, u · g H(m) · v s = z. Return 1 if all checks pass, else return 0. It was proven in [2] that the above signature scheme is suf-cma-secure under the strong Diffie-Hellman assumption. Our Proposal SCUS2 . The scheme, whose security analysis is given in Appendix D, is described as follows. KeyGen(1κ ): Run BB.Kg(1κ ) and LE.Kg(1κ ) to get (pk1 , sk1 ) and (pk2 , sk2 ). Return the public key pk = (pk1 , pk2 ) and the signing key sk = (sk1 , sk2 ). USign(sk, m): First, generate r1 , r2 ← Zq , and set u1 ← g1r1 , u2 ← g2r2 , 1 $ and m = m k u1 k u2 . Next, sign on m to get s, ρ = g0x+H(m)+ys ← BB.Sign(sk1 , m). Then, encrypt ρ in the ciphertext (u1 , u2 , u3 = ρ · g r1 +r2 ). Return the undeniable signature σ = (s, u1 , u2 , u3 ). Convert(sk, m, σ): The same as that of SCUS1 , except now checking whether (s, ρ) is a BB signature or not. Also, for all conversion, release sk2 = (x1 , x2 ), so that our proposal becomes a regular signature scheme equivalent to the BB scheme. Verify(pk, m, σ, cvt): The same as that of SCUS1 , except now checking whether (s, ρ) is a valid BB signature or not. Confirm: On common input pk, m, σ = (s, u1 , u2 , u3 ), the signer and the verifier execute n −1 PoK (a, b, c) : g a = uv s ∧ g1b = g2c = uv s g H(mku1 ku2 ) o −H(mku1 ku2 ) ∧ ua3 ub1 uc2 = g0 u3 . $

The first three equations show a = x+ys, b = −x1 (x + H (m k u1 k u2 ) + ys), and c = −x2 (x + H (m k u1 k u2 ) + ys), where x1 = dlogg1 g and x2 = dlogg2 g. With the values a, b, c, the final equation is equivalent to u3/(ux1 1 ux2 2 ) 1/(x+H(mku ku )+ys)

1 2 = g0 , showing that (m, σ) is valid. The zero-knowledge proof of knowledge can be implemented using known ZKIPs or NIZK proofs described in Sect. 3. Disavowal: On common input pk, m, σ = (s, u1 , u2 , u3 ), the signer sends a value U 6= 1 to the verifier, and both execute n PoK (d, e, f, r) : g d (ug H(mku1 ku2 ) v s )−r = 1 ∧ g1e (ug H(mku1 ku2 ) v s )r = 1 o ∧ g2f (ug H(mku1 ku2 ) v s )r = 1 ∧ U = ud3 · ue1 · uf2 · g0−r .

Intuitively, the first three equations give us d = r(x + H(m k u1 k u2 ) + ys), e = −rx1 (x + H(m k u1 k u2 ) + ys), and f = −rx2 (x + H(m k u1 k u2 ) + ys). Substituting these values to the last equation and noting that 1/(x+H(mku1 ku2 )+ys) U 6= 1 show u3 /(ux1 1 ux2 2 ) 6= g0 , and thus (m, σ) is invalid. The disavowal protocol is also implemented using known ZKIPs or NIZK proof in Sect. 3.

6

SCUS1,2 as anonymous signature schemes

The security notions for an anonymous signature scheme are unforgeability, anonymity, and unambiguity. The former two notions are met by SCUS1 and SCUS2 , as seen in the previous sections. The last notion, unambiguity, intuitively ensures that if one signer releases a converter to convert a signature, then nobody else can convert that signature. We formalize the notion as follows. Definition 7 (Unambiguity) A scheme SCUS satisfies unambiguity if for any poly-time adversary A, $ $ (pkA , skA ) ← KeyGen(1κ ), (pkB , skB ) ← KeyGen(1κ ) def $ Advunamb (mA , mB , σ, cvtA , cvtB ) ← A(pkA , skA , pkB , skB ) SCUS (A) = Pr Verify(pkA , mA , σ, cvtA ) = Verify(pkB , mB , σ, cvtB ) = 1 is negligible in the parameter κ. If the adversary chooses cvtA randomly and lets mA = mB , the above definition essentially becomes that of Saraswat and Yun [36]. On the other hand, the difference with Bellare and Duan [1] is that we require the users indeed hold secret keys corresponding to their public keys (which can be done via efficient zero-knowledge proofs of knowledge). Ours is stronger than [36], weaker than [1]. It is however worth noting that since our schemes are also undeniable signature ones, requiring knowledge of valid secret keys is normal; since otherwise a signer creates a fake pair (sk 0 , pk) (e.g., unrelated values), then all signatures become invalid with respect to pk, so the signer obviously can deny signatures he himself produced. We now consider the schemes SCUS1 and SCUS2 , and let the converters of the schemes be the randomness of the LE scheme. Theorem 8 The schemes SCUS1 and SCUS2 (releasing randomness for selective conversion) satisfy unambiguity, under the discrete-log assumption. In particular, for any adversary A, there is an adversary B such that dlog Advunamb SCUS1,2 (A) ≤ AdvG (B),

T(B) ≈ T(A). The full proof is given in Appendix E, but the intuition is as follows. From the input g, h of B, we set up the keys (pkA , skA ) in base g, and (pkB , skB ) in base h and run A. Any ambiguity will lead to the value dlogg (h), against the dlog assumption.

Acknowledgements We thank Dennis Hofheinz for communicating on the strong uf-cma security of the GBM scheme. Many thanks also go to Laila El Aimani, Jacob Schuldt, and

Ryo Kikuchi for fruitful discussions, which sharpened the knowledge of the first author on the topic. We are indebted to the anonymous reviewers for comprehensive comments. Parts of this work was done while the first author was at Tokyo Institute of Technology with a MEXT scholarship.

References 1. M. Bellare and S. Duan. New definitions and designs for anonymous signatures. Cryptology ePrint Archive, Report 2009/336, 2009. http://eprint.iacr.org/. 2. D. Boneh and X. Boyen. Short signatures without random oracles and the sdh assumption in bilinear groups. J. Cryptology, 21(2):149–177, 2008. 3. D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In M. K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in Computer Science, pages 41–55. Springer, 2004. 4. D. Boneh, B. Lynn, and H. Shacham. Short signatures from the weil pairing. J. Cryptology, 17(4):297–319, 2004. 5. J. Boyar, D. Chaum, I. Damg˚ ard, and T. P. Pedersen. Convertible undeniable signatures. In A. Menezes and S. A. Vanstone, editors, CRYPTO, volume 537 of Lecture Notes in Computer Science, pages 189–205. Springer, 1990. 6. C. Boyd and E. Foo. Off-line fair payment protocols using convertible signatures. In K. Ohta and D. Pei, editors, ASIACRYPT, volume 1514 of Lecture Notes in Computer Science, pages 271–285. Springer, 1998. 7. E. F. Brickell, editor. Advances in Cryptology - CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16-20, 1992, Proceedings, volume 740 of Lecture Notes in Computer Science. Springer, 1993. 8. J. Camenisch, N. Chandran, and V. Shoup. A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In A. Joux, editor, EUROCRYPT, volume 5479 of Lecture Notes in Computer Science, pages 351–368. Springer, 2009. 9. J. Camenisch and V. Shoup. Practical verifiable encryption and decryption of discrete logarithms. In D. Boneh, editor, CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 126–144. Springer, 2003. 10. D. Chaum. Zero-knowledge undeniable signatures. In EUROCRYPT, pages 458– 464, 1990. 11. D. Chaum and H. V. Antwerpen. Undeniable signatures. In G. Brassard, editor, CRYPTO, volume 435 of Lecture Notes in Computer Science, pages 212–216. Springer, 1989. 12. D. Chaum and T. P. Pedersen. Wallet databases with observers. In Brickell [7], pages 89–105. 13. I. Damg˚ ard and T. P. Pedersen. New convertible undeniable signature schemes. In EUROCRYPT, pages 372–386, 1996. 14. L. El Aimani. Toward a generic construction of universally convertible undeniable signatures from pairing-based signatures. In D. R. Chowdhury, V. Rijmen, and A. Das, editors, INDOCRYPT, volume 5365 of Lecture Notes in Computer Science, pages 145–157. Springer, 2008. 15. L. El Aimani. Efficient confirmer signatures from the “signature of a commitment” paradigm. Cryptology ePrint Archive, Report 2009/435, 2009. http://eprint. iacr.org/.

16. L. El Aimani. On generic constructions of designated confirmer signatures. In B. K. Roy and N. Sendrier, editors, INDOCRYPT, volume 5922 of Lecture Notes in Computer Science, pages 343–362. Springer, 2009. Full version available at http://eprint.iacr.org/2009/403. 17. L. El Aimani. Toward a generic construction of convertible undeniable signatures from pairing-based signatures. Cryptology ePrint Archive, Report 2009/362, 2009. http://eprint.iacr.org/. 18. M. Fischlin. Anonymous signatures made easy. In T. Okamoto and X. Wang, editors, Public Key Cryptography, volume 4450 of Lecture Notes in Computer Science, pages 31–42. Springer, 2007. 19. S. D. Galbraith and W. Mao. Invisibility and anonymity of undeniable and confirmer signatures. In M. Joye, editor, CT-RSA, volume 2612 of Lecture Notes in Computer Science, pages 80–97. Springer, 2003. 20. O. Goldreich and Y. Oren. Definitions and properties of zero-knowledge proof systems. J. Cryptology, 7(1):1–32, 1994. 21. J. Groth and A. Sahai. Efficient non-interactive proof systems for bilinear groups. In N. P. Smart, editor, EUROCRYPT, volume 4965 of Lecture Notes in Computer Science, pages 415–432. Springer, 2008. 22. D. Hofheinz and E. Kiltz. Programmable hash functions and their applications. In D. Wagner, editor, CRYPTO, volume 5157 of Lecture Notes in Computer Science, pages 21–38. Springer, 2008. 23. Q. Huang and D. S. Wong. New constructions of convertible undeniable signature schemes without random oracles. Cryptology ePrint Archive, Report 2009/517, 2009. http://eprint.iacr.org/. 24. K. Kurosawa and J. Furukawa. Universally composable undeniable signature. In L. Aceto, I. Damg˚ ard, L. A. Goldberg, M. M. Halld´ orsson, A. Ing´ olfsd´ ottir, and I. Walukiewicz, editors, ICALP (2), volume 5126 of Lecture Notes in Computer Science, pages 524–535. Springer, 2008. 25. K. Kurosawa and S.-H. Heng. 3-Move undeniable signature scheme. In R. Cramer, editor, EUROCRYPT, volume 3494 of Lecture Notes in Computer Science, pages 181–197. Springer, 2005. 26. K. Kurosawa and S.-H. Heng. Relations among security notions for undeniable signature schemes. In R. D. Prisco and M. Yung, editors, SCN, volume 4116 of Lecture Notes in Computer Science, pages 34–48. Springer, 2006. 27. K. Kurosawa and T. Takagi. New approach for selectively convertible undeniable signature schemes. In X. Lai and K. Chen, editors, ASIACRYPT, volume 4284 of Lecture Notes in Computer Science, pages 428–443. Springer, 2006. 28. F. Laguillaumie and D. Vergnaud. Short undeniable signatures without random oracles: The missing link. In S. Maitra, C. E. V. Madhavan, and R. Venkatesan, editors, INDOCRYPT, volume 3797 of Lecture Notes in Computer Science, pages 283–296. Springer, 2005. 29. J. Monnerat and S. Vaudenay. Generic homomorphic undeniable signatures. In P. J. Lee, editor, ASIACRYPT, volume 3329 of Lecture Notes in Computer Science, pages 354–371. Springer, 2004. 30. J. Monnerat and S. Vaudenay. Undeniable signatures based on characters: How to sign with one bit. In F. Bao, R. H. Deng, and J. Zhou, editors, Public Key Cryptography, volume 2947 of Lecture Notes in Computer Science, pages 69–85. Springer, 2004. 31. W. Ogata, K. Kurosawa, and S.-H. Heng. The security of the FDH variant of Chaum’s undeniable signature scheme. IEEE Transactions on Information Theory, 52(5):2006–2017, 2006.

32. T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes. In Brickell [7], pages 31–53. 33. L. T. Phong, K. Kurosawa, and W. Ogata. New rsa-based (selectively) convertible undeniable signature schemes. In B. Preneel, editor, AFRICACRYPT, volume 5580 of Lecture Notes in Computer Science, pages 116–134. Springer, 2009. 34. L. T. Phong, K. Kurosawa, and W. Ogata. Provably secure convertible undeniable signatures with unambiguity. Cryptology ePrint Archive, Report 2009/394, 2009. http://eprint.iacr.org/. Full version of this paper. 35. D. Pointcheval. Self-scrambling anonymizers. In Y. Frankel, editor, Financial Cryptography, volume 1962 of Lecture Notes in Computer Science, pages 259–275. Springer, 2000. 36. V. Saraswat and A. Yun. Anonymous signatures revisited. In J. Pieprzyk and F. Zhang, editors, ProvSec, volume 5848 of Lecture Notes in Computer Science, pages 140–153. Springer, 2009. 37. C.-P. Schnorr. Efficient signature generation by smart cards. J. Cryptology, 4(3):161–174, 1991. 38. J. C. N. Schuldt and K. Matsuura. An efficient convertible undeniable signature scheme with delegatable verification. Cryptology ePrint Archive, Report 2009/454, 2009. http://eprint.iacr.org/. 39. G. Yang, D. S. Wong, X. Deng, and H. Wang. Anonymous signature schemes. In M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, editors, Public Key Cryptography, volume 3958 of Lecture Notes in Computer Science, pages 347–363. Springer, 2006. 40. T. H. Yuen, M. H. Au, J. K. Liu, and W. Susilo. (Convertible) undeniable signatures without random oracles. In S. Qing, H. Imai, and G. Wang, editors, ICICS, volume 4861 of Lecture Notes in Computer Science, pages 83–97. Springer, 2007. 41. R. Zhang and H. Imai. Strong anonymous signatures. In M. Yung, P. Liu, and D. Lin, editors, Inscrypt, volume 5487 of Lecture Notes in Computer Science, pages 60–71. Springer, 2008.

A

A flaw in [40]

We first show that the scheme of Yuen et al [40] does not have invisibility in the sense of Definition 3. Let us briefly recall their undeniable signature scheme. A signature on a message m is of the form σ = (S1 , S2,1 , . . . , S2,k ) where k = 7 (see the final remark of the paper), and S1 = g2α U r ,

S2,j = Vjr (1 ≤ j ≤ k),

where α is in the secret key, r is random, while g2 , U, Vj are publicly-computable values. Notice that the undeniable signature scheme is not strongly unforgeable, since σ 0 = (S1 U t , S2,1 V1t , . . . , S2,k Vkt ) is also valid on the same m for an adversarily-chosen randomness t. (The randomness of the signature becomes r + t.) The attack on the scheme uses the same idea as the one we present at Sect.1.1. Namely, the adversary obtains the challenge σ (which is either random or valid) on its challenge query m, and then submits (m, σ 0 ) as above for selective conversion. If the answer is ⊥, then σ 0 is not valid on m, and so σ is not a signature on m. If the answer is not ⊥, σ 0 is valid on m, and so is σ. The attack is sufficient to

show that the scheme of [40] does not satisfy invisibility in the sense of Definition 3. However, Yuen et al [40] use a weaker (and not natural) definition of invisibility which disallows the convert query (m, σ 0 ) as above. In that case, the above attack does not apply, but the invisibility proof (Theorem 2 of [40]) is incorrect in that it makes use of strong unforgeability. Specifically, in the simulation of the confirmation/disavowal oracle, the following reasoning is used: Let L is the set of previously-appeared message-signature pairs at the signing oracle. Upon receiving a confirmation/disavowal query (m, σ), if (m, σ) ∈ L then return 1 and execute the confirmation protocol, otherwise if (m, σ) 6∈ L then return 0 and execute the disavowal protocol. The above simulation is unfortunately imperfect and incorrect, since if the adversary submits the above (m, σ 0 ) as a confirmation/disavowal query, then (m, σ 0 ) 6∈ L, but valid, while the simulation will return 0 and execute the disavowal protocol. In short, if the strong definition of invisibility (Definition 3) is used, the scheme in [40] is totally insecure; while if the weaker definition is used, then the invisibility proof provided in [40] is incorrect. In the full version of [40], Yuen et al have totally revised their scheme, which is based on the CDH and DLIN assumptions. However, the scheme is not as efficient as ours, let alone seems hard to meet unambiguity.

B

The NIZK proof for selective conversion

We present the concrete NIZK proof of the equations g = g1x1 , g = g2x2 , u3 /ρ = ux1 1 ux2 2 , used by the Convert algorithms of SCUS1 and SCUS2 . The proof is originally developed by Groth and Sahai [21], but here we follows the exposition of Camenisch, Chandran and Shoup [8] (Section 4.4). Recall that we work on a pairing group PG = (G, GT , q = |G|, g, eˆ : G × G → GT ). First, a common reference string, which must be honestly generated, and can $ be kept in the public key of the signer, is generated as follows: γ1 , γ2 , γ3 ← G and $ γ = (γ0 , γ00 , γ000 ) ← G3 . Let the common reference string be crs = (γ1 , γ2 , γ3 , γ), and define vectors γ1 = (γ1 , 1, γ3 ), γ2 = (1, γ2 , γ3 ). $ The prover, with secrets x1 , x2 , works as follows. It chooses random rij ← Zq , where 1 ≤ i, j ≤ 2, and computes δ1 = γ x1 · γ1 r11 · γ2 r12 = (γ0x1 γ1r11 , γ00x1 γ2r12 , γ000x1 γ3r11 +r12 ) ∈ G3 , δ2 = γ x2 · γ1 r21 · γ2 r22 = (γ0x2 γ1r21 , γ00x2 γ2r22 , γ000x2 γ3r21 +r22 ) ∈ G3 , where exponentiations and products of the vectors are understood (as usual) as exponentiations and products of the corresponding components. The NIZK proof is π = δ1 , δ2 , (g1r11 , g1r12 ), (g2r21 , g2r22 ), (ur111 · ur221 , ur112 · ur222 ) ∈ G12 .

Define E : G × G3 → G3T , which sends the tuple α, (α1 , α2 , α3 ) to the tuple eˆ(α, α1 ), eˆ(α, α2 ), eˆ(α, α3 ) , which is also a bilinear map. To verify whether π = δ1 , δ2 , (p1 , p2 ), (p01 , p02 ), (p001 , p002 ) ∈ G12 proves the equations, one checks whether the following holds E(g1 , δ1 ) = E(g, γ) · E(p1 , γ1 ) · E(p2 , γ2 ), E(g2 , δ2 ) = E(g, γ) · E(p01 , γ1 ) · E(p02 , γ2 ), E(u1 , δ1 ) · E(u2 , δ2 ) = E(u3 /ρ, γ) · E(p001 , γ1 ) · E(p002 , γ2 ). Derived from [8], the NIZK proof has perfect completeness, statistical soundness, and computational zero-knowledge (based on the decision linear assumption). The zero-knowledge is computational since a simulated crs is needed, and is created as follows: γ1 and γ2 are generated as above, but γ = γ1 t1 γ2 t2 for trapdoor t = (t1 , t2 ).

C

Proof of Theorem 5

Given a forger F against the proposed SCUS scheme, we build a forger F 0 against the ordinary GBM signature scheme. The input of F 0 is pk1 = (PG, X = g x , H, η = 70) and F 0 has a signing oracle GBM.Sign(sk1 = x, ·). F 0 itself chooses $ the keys for the linear encryption scheme sk2 = (x1 , x2 ) ← Zq2 , and pk2 = (g1 = g 1/x1 , g2 = g 1/x2 ). The forger F 0 gives pk = (pk1 , pk2 ) as the public key of the SCUS scheme to F, and begins to simulate the environment for the SCUS forger as follows: – Signing query m: F 0 chooses r1 , r2 ← Zq and sets u1 ← g1r1 , u2 ← g2r2 , and then calls m k u1 k u2 to its own signing oracle GBM.Sign(sk1 = x, ·) to obtain the GBM signature (s, ρ). F 0 then returns the undeniable signature (s, u1 , u2 , u3 = ρ · g r1 +r2 ) to F. $

– Confirmation/disavowal query (m, σ): Parse σ as (s, u1 , u2 , u3 ) ∈ {0, 1}η × G3 . Decrypt (u1 , u2 , u3 ) to get ρ (since F 0 has sk2 ), and then check whether (s, ρ) is a valid GBM signature on m k u1 k u2 or not. If it is the case, return 1 and run the confirmation protocol with F (acting as a cheating verifier); otherwise, return 0 and run the disavowal protocol with F accordingly. The protocols are simulatable using the rewinding technique [20] since they are zero-knowledge. – Convert query (m, σ): Parse σ = (s, u1 , u2 , u3 ) ∈ {0, 1}η × G3 . Let ρ ← u3 /(ux1 1 ux2 2 ). If (s, ρ) is a valid GBM signature on m k u1 k u2 , then compute the NIZK proof π (using secrets x1 , x2 ) of the equations (1), and finally return the converter (ρ, π). Otherwise, if (s, ρ) is not a valid GBM signature on m k u1 k u2 , then return ⊥. At the end, the forger F outputs m∗ , σ ∗ = (s∗ , u∗1 , u∗2 , u∗3 ) . If F succeeds, (m∗ , σ ∗ ) is a valid pair of the SCUS scheme, we then have u∗3 ∗ x (u1 ) 1 (u∗2 )x2

1

= H(m∗ k u∗1 k u∗2 ) x+s∗ .

u∗ 3 Based on the above equation, F 0 outputs m∗ k u∗1 k u∗2 , (s∗ , (u∗ )x1 (u as ∗ )x2 ) 1 2 a forgery of the ordinary GBM signature scheme. It is clear that the forgery is valid, and we just need to prove that it is different from all message-signature pairs appeared at the oracle GBM.Sign(sk1 = x, ·). By the contrary, suppose that u∗ 3 m∗ k u∗1 k u∗2 , (s∗ , (u∗ )x1 (u = m k u1 k u2 , (s, ρ) , a previously-appeared ∗ )x2 ) 1 2 pair at the signing oracle of F 0 . Thus m = m∗ , u1 = u∗1 , u2 = u∗2 , s = s∗ , and furthermore u∗3 = ρ · (u∗1 )x1 (u∗2 )x2 = ρ · (u1 )x1 (u2 )x2 = u3 , and hence m∗ , σ ∗ = (s∗ , u∗1 , u∗2 , u∗3 ) = m, σ = (s, u1 , u2 , u3 ) , which is a contradiction to the success of F. The running time of F 0 is O(qconf /dis ) times that of F due to the rewinding used in the simulation of the confirmation and disavowal protocol.

D

Security of SCUS2

We consider the securities of SCUS2 , which are ensured by the following theorems. Theorem 9 (Strong unforgeability) The SCUS2 scheme is strongly unforgeable if the signature scheme BB is suf-cma-secure. Moreover, given a forger F against SCUS2 , there exists another forger F 0 against the BB signature scheme such that orge suf −cma Advsf (F 0 ), SCUS2 (F) ≤ AdvBB T(F 0 ) = O(qconf /dis ) · T(F), where qconf /dis is the total number of confirmation/disavowal queries, and T expresses the running time. Proof. The proof is essentially the same as that of Theorem 5, so we just outline the main ideas here. The forger F 0 first generates the keys (pk2 , sk2 ) for the LE scheme, which will be used for the simulation of the convert and confirmation/disavowal oracles. For answering signing queries from F, the forger F 0 uti- lizes its own signing oracle. Finally, F outputs the pair m∗ , σ ∗ = (s∗ , u∗1 , u∗2 , u∗3 ) satisfying 1 ∗ ∗ u∗3 x+H(m∗ ku∗ 1 ku2 )+ys = g , 0 ∗ ∗ (u1 )x1 (u2 )x2 so that F 0 in turn outputs ∗ ∗ ∗ m k u1 k u2 , s∗ ,

u∗3 (u∗1 )x1 (u∗2 )x2

as the forgery in the strong sense of the BB signature, completing the proof.

Theorem 10 (Strong invisibility) The SCUS2 scheme satisfies strong invisibility. Moreover, given a distinguisher D against SCUS2 , there exist Adlin and a forger F against SCUS2 such that sf orge dlin Advinv SCUS2 (D) ≤ AdvG (Adlin ) + AdvSCUS2 (F),

T(Adlin ) = O(qconf /dis ) · T(D), and T(F) ≈ T(D), where T expresses the running time, and qconf /dis is the total number of confirmation/disavowal queries D makes. Proof. The proof follows along the line of that of Theorem 6, except that Adlin generates the keys for the BB signature scheme, and uses them to simulate the signing and challenge oracle for D. The rest remains the same.

E

Unambiguity of SCUS1,2

We begin to show unambiguity for the scheme SCUS2 (choosing to release LE randomness as converter) by proving dlog Advunamb SCUS2 (A) ≤ AdvG,PG (B),

T(B) ≈ T(A). Given A against unambiguity of SCUS2 , we build B against the dlog assumption on G of PG. The adversary B gets (g, h) ∈ G2 and the description of the pairing group PG as input, and needs to output dlogg (h). Using the generator g and PG, B sets up (pkA , skA ) for user A where the value g0 of the Boneh-Boyen signature $ scheme is set to g a for a ← Zq . It does the same for (pkB , skB ) except that the value g0 of the Boneh-Boyen signature scheme is set to h. The adversary B runs A on input (pkA , skA , pkB , skB , PG). A returns the tuple (mA , mB , σ, cvtA , cvtB ), where σ = (s, u1 , u2 , u3 ), the converters cvtA = (r1A , r2A ) and cvtB = (r1B , r2B ) satisfying a

u3 = g xA +HA (mA ku1 ku2 )+yA s · g r1A +r2A 1

u3 = h xB +HB (mB ku1 ku2 )+yB s · g r1B +r2B The values (xA , yA ) and (xB , yB ) are respectively in skA and skB , set up by B. The above equations are thanks to Verify(pkA , mA , σ, cvtA ) = Verify(pkA , mA , σ, cvtA ) = 1. Note that we have the Boneh-Boyen signatures in base g in the first equation and h in the second one. From the above equations, it is clear that B can compute dlogg (h), ending the proof for SCUS2 . We proceed with unambiguity of SCUS1 . Similarly with the above, we have the equations 1

u3 = HA (m) xA +s · g r1A +r2A 1

u3 = HB (m) xB +s · g r1B +r2B

Note that now HA , HB are not arbitrary, but specific hash functions, given as 160 hash(X)[i] hi for Y ∈ {A, B}, h0 , . . . , h160 ∈ G and collisionHY (X) = h0 Πi=1 resistant hash : {0, 1}∗ → {0, 1}160 , where hash(X)[i] denotes the i-th bit of the hash value. Again, the idea is to set up the base g for HA and the base h for HB , which can be easily done by the adversary B. We omit further details. It is interesting to ask whether our schemes with NIZK converters satisfy unambiguity or not. They seem to meet the notion, but we unfortunately cannot prove, so leaving it as an open problem.

NICT, Japan, [email protected] Ibaraki University, Japan, [email protected] Tokyo Institute of Technology, Japan, [email protected] 2

3

Abstract. This paper shows some efficient and provably-secure convertible undeniable signature schemes (with both selective conversion and all conversion), in the standard model and discrete logarithm setting. They further satisfy unambiguity, which is traditionally required for anonymous signatures. Briefly, unambiguity means that it is hard to generate a (message, signature) pair which is valid for two different public-keys. In other words, our schemes can be viewed as anonymous signature schemes as well as convertible undeniable signature schemes. Besides other applications, we show that such schemes are very suitable for anonymous auction.

Keywords: Undeniable signatures, selective/all conversion, anonymous signatures, discrete logarithm, standard model.

1 1.1

Introduction Background

Undeniable Signatures. Almost twenty years ago, Chaum and van Antwerpen [11] introduced the concept of undeniable signature (US) scheme, where a signature is not publicly verifiable, which is in contrast to ordinary signature schemes. The verification of an undeniable signature requires the cooperation of the signer through the zero-knowledge confirmation protocol (for validity of signatures) and zero-knowledge disavowal protocol (for invalidity of signatures). A mandatory property of a US scheme thus is invisibility, namely without interacting with the signer, it is hard to decide whether a signature is valid or not. Also, it is worth noting that either the confirmation or disavowal protocol must be successful if the signer is honest; and the case both protocols fail formally implies that the signer is not cooperating (or cheating). Undeniable signature is useful when we sign on sensitive data such as software [5], electronic cash [6, 12, 35], confidential business agreement [13]. There have been a wide range of research on the concept [5, 10, 13, 19, 24–31, 40], to list just a few. Most of the papers are in the random oracle model, with (even arbitrary) short signatures [30], or extensive security consideration of a classical scheme

[31]. In the standard model, the first efficient proposal is that of Laguillaumie and Vergnaud [28] (but relying on a non-standard and strong assumption for invisibility). In order to link undeniable signature to regular signature, Boyar et al [5] proposed the concept of conversion. In all conversion, the signer releases a piece of information so that all issued undeniable signatures can be publicly-verifiable. In selective conversion, the signer publishes a piece of information so that a single undeniable signature is publicly-verifiable. The paper [5] gave a generic construction of US scheme with selective and all conversion from one-way function, but the construction is not practical. Note that selectively-convertible undeniable signature schemes play a central role in fair payment protocols [6], so the more efficient the former is, the more practical the latter can be realized. For more applications, the readers may find in [5, 13]. We also note that the above mentioned work of Laguillaumie and Vergnaud [28], while producing very short signatures (of about 170 bits), does not support any kinds of conversion. In an attempt to realize practical US schemes with conversions, Damgard and Pedersen [13] proposed two dlog-based schemes, but they could not formally prove the invisibility of their schemes, and just conjectured on it. Recently, another attempt was made by Yuen et al [40] using pairings, but their scheme suffers from a big (exponential) loss factor in security reduction, so that the signer is only able to produce very few (less than 128) signatures. The scheme in [40] is claimed to satisfy invisibility, but in Appendix A, we point out that the claim is incorrect. More recently, El Aimani [14] proposed some generic approaches for building efficient undeniable signature schemes, but with no selective conversion. In the full version [17] of [14], El Aimani claims selective conversion property, but we observe that the claim is correct only if the signer is honest. However, there exists no convertible undeniable signature scheme which satisfies unambiguity which will be explained below. Anonymous Signatures. The concept is proposed by Yang et al [39] (at PKC ’06), and has further study in [1,18,36,41]. Anonymous signatures and undeniable signatures share the same goal of ensuring anonymity (implied by invisibility in this paper) by not revealing the link between signatures and public-keys. However, compared to undeniable signature schemes, anonymous signature schemes do not necessarily have confirmation/disavowal protocols; and yet they have one more security notion called unambiguity. To explain more about anonymous signatures, let us recall its typical application suggested in all previous works, which is anonymous auction where Alice (with pkA ) wishes to place a bid with value bidA . She wants to be able to claim the bid as hers in case it wins, but otherwise wishes to remain anonymous. The natural solution is to provide, at bidding time, the values bidA , pkA , as well as her anonymous signature of bidA . Later, when the result is announced, and if Alice has won, she can release the relevant opening information to claim her bid. We however observe that the above usage of anonymous signatures in auction may cause trouble, which is overlooked by previous works. Imagine a situation in which Alice has won, but refuses to provide the opening information. The

natural solution for the auctioneer is to choose the second-highest bidB of Bob as the winning bid. The real trouble now is that, if Alice and Bob cooperate, they will win every auction! Alice places the highest bid just after Bob, and then refuses to open her signature on the bid, so that Bob will be the winner. This is clearly unfair to other players in the auction. All existing works on anonymous signatures have not noticed the situation that either the winner refuses to open, or there is cooperation between two users4 . To overcome the above trouble, we then suggest that one should use undeniable signature schemes with selective conversion in anonymous auction, provided that they meet all security notions of anonymous signatures. Alice then cannot deny her signature of the bid anymore, since the auctioneer can execute the confirmation and disavowal protocols to check. Let us now explain the unambiguity notion [1] (aka, unpretendability [36]). It intuitively ensures that if Alice has won, and releases the opening information to claim her bid, then no one else can claim that bid. Previously, unambiguity was not considered as a security notion for undeniable signature schemes. However, to serve in the context of anonymous auction as we suggested above, undeniable signature schemes must satisfy unambiguity. 1.2

Our contribution

We propose two convertible undeniable signature schemes satisfying anonymity, called SCUS1 and SCUS2 . They have the following properties. – The schemes support both selective and all conversion. Moreover, they enjoy formally-proven security in the standard model, relying on the strong DiffieHellman (sDH) and the decision linear (DLIN) assumption. Their confirmation and disavowal protocols are of (minimal) four moves5 . – The signature size is about 70 + 3 · |q| (resp, 4 · |q|) bits for SCUS1 (resp, SCUS2 ) where |q| ≈ 170. The piece of information for all conversion is of 2·|q| bits for both schemes. For each selective conversion, the piece of information is also 2·|q| bits if we accept stateful signers; otherwise, we employ the NIZK proof of Groth and Sahai [21], and need to release a few more bits. – Both SCUS1 and SCUS2 additionally meet the unambiguity notion, under the discrete log assumption. Therefore, they can be used in anonymous auction to detect the winner in case she refuses to open (namely, convert) her signature. 4

5

Interestingly, we find that what we discuss for anonymous auction still applies in principle to Yahoo auction in Yapan. Namely, in the Yahoo auction, if two identities (e.g., of one person) cooperate in the way we have described, they will have advantages over ones proceeding honestly. The point is in the Yahoo auction, the winning identity can easily deny contacting the seller for paying process, making the seller to choose the identity with second-highest bid as the winner. We remark that the 3-move scheme of Kurosawa and Heng [25] is insecure, as shown by Ogata et al in [31] (Sect.V.D, page 2013), who furthermore point out that any 3-move (HVZK) confirmation/disavowal protocols are not secure against active attacks.

It is worth noting that it is unknown whether previous undeniable signature schemes with selective conversion have this additional property. Above, the scheme SCUS1 produces shorter signatures than SCUS2 , but the public key of SCUS1 (of 170 · |q| bits) is much longer than that of SCUS2 (of 12 · |q| bits). Choosing which one to use thus depends on specific applications. Let us now look at the ways to obtain the above results. We first focus on the ideas behind SCUS1 . Sign-then-Encrypt Paradigm. We re-utilize an elegant paradigm introduced by Damgard and Pedersen [13] in which the undeniable signature σ of a message m is of the form σ = Encryptpk2 (Signsk1 (m)), where Encrypt and Sign are respectively some regular encryption and signature scheme. For all conversion, the signer publishes the secret key sk2 of the encryption scheme, so that everyone can decrypt σ to get the regular signature Signsk1 (m) and then check its validity. For selective conversion, the signer releases the regular signature Signsk1 (m). Some difficulties when using the above paradigm are: (1) designing efficient zero-knowledge confirmation and disavowal protocols, (2) proving the invisibility of the designed scheme, and (3) releasing Signsk1 (m) in a provable way (that it is the signature encrypted in σ). Damgard and Pedersen [13] have overcome (1) but not (2). For (3), they suggested a method of storing all randomness previously used in signing. We suggest another method by using the efficient NIZK proof of Groth and Sahai [21], as seen later. To overcome (1) (and (3) in an efficient way), one needs to properly choose simple (but-secure-enough) ingredients. To design SCUS1 , we choose the Generic Bilinear Map (GBM) signature [22] and the linear encryption [3] (LE) scheme. A GBM signature on m is of the form (s, ρ = H(m)1/(x+s) ) for a random s, a standard model hash function H and the secret key sk1 = x. We use the LE scheme to encrypt ρ in the ciphertext (u1 = g1r1 , u2 = g2r2 , u3 = ρ · g r1 +r2 ) for randomness r1 , r2 . The undeniable signature σ = (s, u1 , u2 , u3 ). Intuitively, σ seems random-like, unrelated to m, (and thus invisible) because s is random and (u1 , u2 , u3 ) is random-like under the decision linear assumption. However, the scheme is in fact not invisible. The reason is in the malleability of LE scheme. In particular, if σ = (s, u1 , u2 , u3 ) is valid on a message m (resp, σ is random), then σ 0 = (s, u1 g1α , u2 g2β , u3 g α+β ) is also valid on m (resp, σ 0 is random) for adversarily-chosen randomness α and β. The fact causes a simple attack on the invisibility of (m, σ) as follows: the adversary first asks the signer for converting (m, σ 0 ), so that it knows the validity of the pair, and hence it also is aware of whether the corresponding (m, σ) is valid. (See Definition 3 for a formal definition on invisibility, which also contains some new insights.) Fortunately, we can overcome the above attack as follows: we authenticate the randomness r1 , r2 by signing on u1 and u2 . In our proposed SCUS1 scheme (in Sect.4), the values (u1 = g1r1 , u2 = g2r2 ) are generated first, then the GBM signature on m, u1 , u2 is created: s, ρ = H(m k u1 k u2 )1/(x+s) . After all, set u3 = ρ · g r1 +r2 and let the undeniable signature σ = (s, u1 , u2 , u3 ). With the authentication on the randomness, the adversarily-formed σ 0 above becomes

invalid regardless of whether σ is valid on m, so that the validity of σ 0 cannot be used to decide that of σ. We succeed in proving the invisibility of our proposed scheme in Theorem 6. On Confirmation and Disavowal Protocol. Now we give ideas on constructing the confirmation and disavowal protocol for SCUS1 . To confirm m, σ = (s, u1 , u2 , u3 ) , the signer needs to prove for secrets x1 (= dlogg1 g), x2 (= dlogg2 g), and x: 1 u3 = H(m k u1 k u2 ) x+s . ux1 1 ux2 2 Namely, the LE decryption of (u1 , u2 , u3 ) gives the GBM signature on m, u1 , u2 . Or equivalently, −x1 (x+s)

ux3 · u1

−x2 (x+s)

· u2

= H(m k u1 k u2 ) · u−s 3 ,

which is a proof of representation of public value H(m k u1 k u2 ) · u−s 3 , and can be realized by standard techniques, using constant moves. Now we turn to the disavowal protocol. Given m, σ = (s, u1 , u2 , u3 ) , the signer needs to prove for secrets x1 , x2 , x: u3 x1 x2 u1 u2

1

6= H(m k u1 k u2 ) x+s ,

or equivalently, −x1 (x+s)

ux+s · u1 3

−x2 (x+s)

· u2

· H(m k u1 k u2 )−1 6= 1. $

Employing the technique of Camenisch and Shoup [9], we choose r ← Zq and set −x1 (x+s)

U = ux+s · u1 3

−x2 (x+s)

· u2

r · H(m k u1 k u2 )−1 .

The signer sends U to the verifier, who checks that U 6= 1. Then both execute a proof of representation of U , where the signer holds the secrets r, x, x1 , x2 . The zero-knowledge protocol can also be accomplished via standard techniques, also using constant moves. Moreover, since we will work on a pairing group, the disavowal protocol can be made non-interactive, again thanks to the NIZK proof of Groth-Sahai [21], interestingly yielding a way to efficiently “convert” (namely, make publicly-verifiable) even invalid signatures. More Schemes. The above ideas work well if we replace the GBM signature by 1/(x+H(m)+ys) the signature of Boneh and Boyen [2], which is of the form (s, g0 ) for random s ∈ Zq , g0 ∈ G, and secret signing key x, y. The replacement creates our SCUS2 described in Sect.5. Furthermore, in the random oracle model, one can use the BLS signature [4] so that the unforgeability of the resulting undeniable signature scheme relies on the CDH assumption in bilinear group. We do not explicitly consider the random oracle scheme in this paper. More Related Works. Subsequent to a preliminary version of this work [34] on the Eprint, Schuldt, Matsuura [38], and Huang, Wong [23] have suggested

some other schemes with interesting additional properties. Both works indicate that, if using NIZK proofs in undeniable signatures, the common reference string must be legitimately set up (say, by a trusted party like the CA in PKI). Unfortunately, the scheme of Huang and Wong [23] turned out not satisfying anonymity, as shown in [38]. The scheme of [38], while relying on a more standard assumption, produces longer signatures (or public keys) than the ones in this paper. Both works [23, 38] do not consider unambiguity. Independently with us, El Aimani [15] also discovered the usage of the NIZK of Groth and Sahai [21] in the context of confirmer signatures. The sign-thenencrypt approach is also used to build confirmer signatures in [16] in an abstract manner. As a trade-off to its generality, the construction in [16] has to employ the cut-and-choose technique for the confirmation and disavowal protocols, and hence the protocols are not of constant rounds (say, 80 rounds to reach 2−80 soundness error). In contrast, we take a concrete approach in this paper, resulting in schemes with minimal 4-round protocols. The above sign-then-encrypt paradigm has also been successfully re-used in [33] in the RSA-based setting, creating RSA-based US schemes supporting (selective and all) conversions, with signatures of (80 + 2 · 1024) bits, converters of 1024 bits, while the securities rely on the strong RSA assumption and the decisional N -th residuosity (DNR) assumption in the standard model. Note that the RSA-based schemes give longer signatures than dlog-based schemes, as usual.

2

Syntax and definitions

We begin with the syntax of selectively-convertible undeniable signature (SCUS for short) schemes. We focus on the syntax of schemes with selective conversion here and do not explicitly describe the syntax of all conversion since the latter is very simple in our proposals. Definition 1 (SCUS scheme) A selectively-convertible undeniable signature scheme SCUS = (KeyGen, Usign, Convert, Verify, Confirm, Disavowal) consists of four algorithms and two protocols whose descriptions are as follows. – KeyGen(1κ ) → (pk, sk): This algorithm generates the public key pk and the secret key (signing key) sk for user. – USign(sk, m) → σ: Using the secret key sk, this algorithm produces a signature σ on a message m. – Convert(sk, m, σ) → cvt/ ⊥: Using sk, this algorithm releases a converter cvt if the message-signature (m, σ) pair is valid, enabling everyone to check the validity of the pair. If the pair is invalid, the output of the algorithm is ⊥. 6 – Verify(pk, m, σ, cvt) → 0/1: Using the converter cvt, everyone can check the validity of (m, σ) by this algorithm. 6

Note that only valid undeniable signatures can be converted, and the signer has no responsibility to convert ill-formed ones. These properties are natural, and sufficient enough for application (e.g., [6]). However, we note in our proposed schemes, the signer can even “convert” invalid signatures by making the disavowal protocol noninteractive (via Groth-Sahai result [21], as seen later).

– Confirm: This is a protocol between the signer and a verifier, on common input (pk, m, σ), the signer with sk proves that (m, σ) is a valid message-signature pair in zero-knowledge. – Disavowal: This is a protocol between the signer and a verifier, on common input (pk, m, σ), the signer with sk proves that (m, σ) is an invalid messagesignature pair in zero-knowledge. Definition 2 (Unforgeability and strong unforgeability of SCUS) A selectively convertible undeniable signature scheme SCUS is said to be existential unforgeable under adaptive chosen message attack if no poly-time forger F has a non-negligible advantage in the following game: at the beginning, F is given the public key pk. Then F is permitted to issue a series of queries shown below. – Signing queries: F submits a message m to the signing oracle and receives a signature σ on m. These queries are adaptive, namely the next query can depend on the answers of previous ones. – Convert queries: F submits a message-signature pair (m, σ) to the convert oracle, and receives a converter cvt. These queries are also adaptive. – Confirmation/disavowal queries: F submits a message-signature pair of the form (m, σ) to the confirmation/disavowal oracle. We will consider active attack, where the oracle first checks the validity of (m, σ). If it is a valid pair, the oracle returns 1 and executes the confirmation protocol with F (acting as a cheating verifier). Otherwise, the oracle returns 0 and executes the disavowal protocol with F. At the end of the game, F outputs a pair (m∗ , σ ∗ ). In the definition of unforgeability, the forger F wins the game if the pair (m∗ , σ ∗ ) is a valid messagesignature pair, and m∗ has never been queried to the signing oracle. The advanorge tage of F is defined to be AdvfSCUS (F) = Pr[F wins]. In the definition of strong unforgeability, the only different point is that (m∗ , σ ∗ ) does not coincide with any (m, σ) at signing queries. We denote F’s advantage orge in this case by Advsf SCUS (F) = Pr[F wins]. The notion of invisibility intuitively ensures that no-one (without contacting the signer) can tell whether a message-signature pair is valid or not, and is formally given below. We note that this definition is new to this work. Definition 3 (Strong invisibility) A selectively-convertible undeniable signature scheme SCUS satisfies strong invisibility under adaptive chosen message attack if no poly-time distinguisher D has a non-negligible advantage in the following game. At first, KeyGen(1κ ) → (pk, sk), and then D is given the public key pk. Then D is permitted to issue a series of queries: signing queries, convert queries, confirmation/disavowal queries, as in Definition 2. At some point, D outputs an arbitrary message m∗ , and requests a challenge signature σ ∗ on m∗ . The challenge signature σ ∗ is generated based on a hidden bit b. If b = 0, then σ ∗ is generated as usual using the signing algorithm; otherwise σ ∗ is chosen randomly from the signature space of the scheme (which only depends on the security parameter κ, and not on pk, sk).

The distinguisher D may additionally issue signing queries, convert queries, confirmation/disavowal queries with the only restriction that no confirmation/disavowal query and convert query (m∗ , σ ∗ ) are allowed. At the end, D outputs a bit b0 as the guess for b. The distinguisher wins the game if and only if b0 = b and its advantage is defined as Advinv SCUS (D) = | Pr[b0 = b] − 1/2|. Remarks 1 Above, there are some subtleties. First, we do allow the distinguisher to submit convert queries of the form (m∗ , σ) with σ 6= σ ∗ . We clarify this point here for later use in Appendix A. Second, D can make signing query m∗ , even in multiple times, even before and after the challenge query. Intuitively, a scheme meeting the definition enables the signer to sign on the same message many times without any loss in invisibility, so that the scheme is very suitable and easy to use at least in licensing software, which is one of the main applications, where one piece of software may be signed many times. This second subtlety makes our definition differ from and stronger than previous ones (say, that of [31]). A scheme meeting the (weak) definition as in [31] can be turned into another one satisfying our definition by ensuring that the signing messages are pairwise different (via randomness, the time when signing, etc). Similarly to the second point above, we believe that strong unforgeability is very suitable for undeniable signature schemes, especially in the context of licensing software. Our proposals fortunately meet these strong notions of security. Another security notion for undeniable signatures is anonymity, intuitively ensuring that given a message-signature pair, it is hard to know who produces the pair. As pointed out in [19], invisibility implies anonymity if all signers share a common signature space, a condition fulfilled by our proposals. We thus focus on invisibility in the rest of this paper. Definition 4 (Standard signature schemes) A signature scheme S = (Kg, Sign, Vrf) is as follows. On input 1κ , the key generation algorithm Kg produces the public key pk and the secret signing key sk. On input sk and a message m, the signing algorithm Sign produces a signature σ, which is publicly-verifiable using the verification algorithm Vrf on input pk and σ. The unforgeability under chosen message attack (uf-cma security) of a signature scheme S is defined essentially the same as that of SCUS in Definition 2, except that the forger F against S only issues signing queries. We denote −cma the advantage of F by Advuf (F) = Pr[F wins]. The strong unforgeability S (suf-cma security) is defined in a similar manner and we have the advantage −cma Advsuf (F) = Pr[F wins]. S

3

Preliminaries

Pairing Group. We call PG = (G, GT , q = |G|, g, eˆ : G × G → GT ) a pairing group if G and GT are cyclic groups of prime order q, where the bit length

|q| = κ ≈ 170. The element g is a generator of G, and the mapping eˆ satisfies the following properties: eˆ(g, g) 6= 1, and eˆ(g a , g b ) = eˆ(g, g)ab . Dlog Assumption. The assumption claims that, given PG as above, and for all $ $ x poly-time adversary A, Advdlog G,PG (A) = Pr[h = g : g, h ← G; x ← A(g, h, PG)] is negligible. Decision Linear Assumption. Given a pairing group PG, the assumption, first formalized in [3], asserts that the following advantage of a poly-time adversary A is negligible in the security parameter κ. $ $ α, β, γ ← Zq ; g1 , g2 , g3 ← G; 1 0 $ dlin AdvG (A) = Pr b = b : T0 ← g3α+β ; T1 ← g3γ ; b ← {0, 1}; − . 2 $ b0 ← A(PG, g1 , g2 , g3 , g1α , g β , Tb ) 2

Known Dlog-Based ZKIP. We use known techniques for proving statements about discrete logarithms, such as (1) proof of knowledge of discrete logarithm [37]; (2) proof of knowledge of an element representation in a prime order group [32]; and the ∧ proof of (1) and (2). (The ∧ proof is easily designed by choosing the same challenge while asking the prover to prove both (1) and (2) in parallel.) These proofs need four moves to become zero-knowledge. When referring to the proofs above, we use the following kind of notation. For instance, PoK{(x1 , x2 ): y = g x1 ∧ U = ux1 1 ux2 2 } denotes a zero-knowledge proof of knowledge of x1 and x2 such that y = g x1 and U = ux1 1 ux2 2 . All values except (x1 , x2 ) are assumed to be known to the verifier. Known NIZK Proof. We utilize the non-interactive zero-knowledge (NIZK) X m proof for proving that a system of equations of the form g0 = Πj=1 gj j , over a group G (with pairing as above) is satisfiable, where Xj are variables and g0 , . . . , gm are constants in G. This is derived from the result of Groth and Sahai [21]. We will mention more about the NIZK proofs later.

4

Our proposed SCUS1

In this section, we describe our first selectively convertible undeniable signature (SCUS) scheme and analyze its securities. 4.1

Building blocks

We first need the following ingredients, which operate on a common pairing group PG = (G, GT , q = |G|, g, eˆ : G × G → GT ). The pairing group is implicitly included in the public keys of the following schemes. Generic Bilinear Map Signature Scheme GBM [22]. The signature scheme GBM = (GBM.Kg, GBM.Sign, GBM.Vrf) is briefly recalled with some minor modifications as follows.

$

GBM.Kg(1κ ): Generate x ← Zq , X ← g x , and H : {0, 1}∗ → G. Return the verifying key pk1 = (X, H, η) where η = 70 and the signing key sk1 = x. (The public key size |pk1 | ≈ 162 · log2 q bits, according to the estimation in [22], due to the concrete description of H.) 1

$

GBM.Sign(sk1 , m ∈ {0, 1}∗ ): s ← {0, 1}η , ρ ← H(m) x+s ∈ G. Return (s, ρ) ∈ {0, 1}η × G as the signature on m. GBM.Vrf pk1 , m, (s, ρ) : Check that (s, ρ) ∈ {0, 1}η × G and eˆ(ρ, X · g s ) = eˆ(H(m), g). Return 1 if all checks pass, else return 0. The signature scheme is known to be strongly unforgeable (suf-cma secure) under the strong Diffie-Hellman assumption. To be complete, the proof given in [22] is for the uf-cma case, but holds even for suf-cma security. Linear Encryption [3]. The linear encryption scheme LE= (LE.Kg, LE.Enc, LE.Dec) is as follows. $

LE.Kg(1κ ): Generate x1 , x2 ← Zq and set g1 ← g 1/x1 , g2 ← g 1/x2 . Return the public key pk2 = (g1 , g2 ) and the secret key sk2 = (x1 , x2 ). LE.Enc(pk2 , m ∈ G): Choose r1 , r2 ← Zq and set u1 ← g1r1 , u2 ← g2r2 , u3 ← m · g r1 +r2 . Return (u1 , u2 , u3 ) as the ciphertext of m. LE.Dec sk2 , (u1 , u2 , u3 ) : Return u3 /(ux1 1 ux2 2 ). $

The scheme is ind-cpa-secure under the decision linear assumption [3]. 4.2

The scheme SCUS1

The scheme is described as follows. KeyGen(1κ ): Run GBM.Kg(1κ ) and LE.Kg(1κ ) to get (pk1 , sk1 ) and (pk2 , sk2 ). Return the public key pk = (pk1 , pk2 ) and the signing key sk = (sk1 , sk2 ). USign(sk, m): First, generate r1 , r2 ← Zq , and set u1 ← g1r1 , u2 ← g2r2 , 1 $ and m = m k u1 k u2 . Next, sign on m to get s, ρ = H(m) x+s ← GBM.Sign(sk1 , m). Then, encrypt ρ in the ciphertext (u1 , u2 , u3 = ρ · g r1 +r2 ). Return the undeniable signature σ = (s, u1 , u2 , u3 ). $

Convert(sk, m, σ): Parse σ as (s, u1 , u2 , u3 ) ∈ {0, 1}η × G3 , and let ρ ← u3 /(ux1 1 ux2 2 ). If (s, ρ) is not a GBM signature on m k u1 k u2 then return ⊥. Otherwise, return the converter (ρ, π) ∈ G × G12 , where π is a NIZK proof proving (with secrets x1 , x2 ): g = g1x1 , g = g2x2 , u3 /ρ = ux1 1 ux2 2 .

(1)

Such a NIZK proof π can be efficiently created using the result of Groth and Sahai [21]. See Appendix B for the concrete description of π. Another method of converting, inspired by Damgard and Pedersen [13], is to store the randomness r1 , r2 used in signing and later release them as converter. Then, everyone can check u1 = g1r1 , u2 = g2r2 and compute ρ as u3 /g r1 +r2 .

To do all conversion, release sk2 = (x1 , x2 ) so that everyone can compute ρ = u3 /(ux1 1 ux2 2 ) and then check whether (s, ρ) is a valid GBM signature on m k u1 k u2 . Note that in this case, our proposal becomes a regular signature scheme equivalent to the GBM scheme. Verify(pk, m, σ, cvt): Parse σ as (s, u1 , u2 , u3 ) ∈ {0, 1}η ×G3 and cvt as (ρ, π) ∈ G × G12 . Return 1 (meaning, valid) if π is a valid proof of the equations (1), and (s, ρ) is a valid GBM signature on m k u1 k u2 . Otherwise return 0. (We omit details when cvt = (r1 , r2 ).) Confirm: On common input pk, (m, σ), the signer and the verifier execute n o PoK (x, a, b) : g1a = (Xg s )−1 ∧ g2b = (Xg s )−1 ∧ ux3 ua1 ub2 = H(m k u1 k u2 )u−s . 3 Intuitively, the equations first show that a = −x1 (x + s) and b = −x2 (x + s) where x = dlogg (X), x1 = dlogg1 g and x2 = dlogg2 g. With the values a, b, the final equation is equivalent to u3 /(ux1 1 ux2 2 ) = H(m k u1 k u2 )1/(x+s) . Since u1 , u2 ∈ G, a cyclic group, there exist r1 , r2 such that u1 = g1r1 and u2 = g2r2 , and thus ux1 1 = g r1 , ux2 2 = g r2 . Hence, u3 = H(m k g1r1 k g2r2 )1/(x+s) · g r1 +r2 , showing that σ = (s, u1 , u2 , u3 ) is indeed produced by USign on m. The zero-knowledge proof of knowledge can be implemented using known ZKIPs described in Sect. 3. In the above PoK, the signer must also prove the knowledge of the secret key corresponding to the public key, namely (x, x1 , x2 ) satisfying g x = X, g = g1x1 = g2x2 . We omit these types of conditions hereafter in all PoKs for clarity. Disavowal: On common input pk, (m, σ), the signer sends a value U 6= 1 to the verifier, and both execute n PoK (c, d, f, r) : g c (X −1 g −s )r = g1d (Xg s )r = g2f (Xg s )r = 1 o ∧ U = uc3 · ud1 · uf2 · H(m k u1 k u2 )−r . Intuitively, the equations of the first line give us c = r(x+s), d = −rx1 (x+s), and f = −rx2 (x + s). Substituting these values to the second line equation and noting that U 6= 1 show u3 /(ux1 1 ux2 2 ) 6= H(m k u1 k u2 )1/(x+s) , and thus (m, σ) is invalid. The disavowal protocol is also implemented using known ZKIPs or NIZK proof in Sect. 3. Note that the NIZK proof for the disavowal protocol gives a way to “convert” (namely, make publicly-verifiable) invalid signatures. Above, if the confirmation protocol fails, then the disavowal protocol is run. If both fails, we conclude that the signer is cheating (or not cooperating). We now consider securities of SCUS1 , which are ensured by the following theorems. Theorem 5 (Strong unforgeability) The proposed SCUS1 scheme is strongly unforgeable if the signature scheme GBM is suf-cma-secure. Moreover, given a forger F against SCUS1 , there exists another forger F 0 against the GBM signature scheme such that orge suf −cma Advsf (F 0 ), SCUS1 (F) ≤ AdvGBM

T(F 0 ) = O(qconf /dis ) · T(F), where qconf /dis is the total number of confirmation/disavowal queries F made, and T expresses the running time. Proof. Given in Appendix C. Theorem 6 (Strong invisibility) The SCUS1 scheme satisfies strong invisibility. Moreover, given a distinguisher D against SCUS1 , there exist an Adlin against the decision linear assumption, and a forger F against SCUS1 such that sf orge dlin Advinv SCUS1 (D) ≤ AdvG (Adlin ) + AdvSCUS1 (F),

T(Adlin ) = O(qconf /dis ) · T(D), and T(F) ≈ T(D), where T expresses the running time, and qconf /dis is the total number of confirmation/disavowal queries D makes. Proof. We proceed in games as follows. Game 0: This is exactly the definitional game as in Definition 3. Let Wi (i = 0, 1) be the event that the distinguisher D wins in Game i, we have Advinv SCUS1 (D) = Pr[W0 ] by definition. Game 1: This game is the same as Game 0, except that we consider the following distinguisher: D never issues a convert or confirmation/disavowal query (m, σ) satisfying (1) the pair is valid (namely, ⊥ or 0 was not returned), and (2) the pair is different from all previously-issued message-signature pairs at the signing oracle. Obviously, if D (in Game 0) issues the pair (m, σ) as above, then we can use (m, σ) as a forgery (in the strong sense) of the SCUS1 scheme. More precisely, we can use D to build a forger F against SCUS1 with T(F) ≈ T(D). Thus, Game 0 and Game 1 are indistinguishable thanks to the strong unforgeability of the scheme, and hence orge |Pr[W0 ] − Pr[W1 ]| ≤ Advsf SCUS1 (F).

Using the distinguisher D in Game 1, we now build an adversary Adlin against the decision linear assumption on G satisfying Pr[W1 ] ≤ Advdlin G (Adlin ). Note that sf orge Advinv SCUS1 (D) = Pr[W0 ] ≤ Pr[W1 ] + AdvSCUS1 (F) sf orge ≤ Advdlin G (Adlin ) + AdvSCUS1 (F),

which completes the proof. Thus the rest is devoted to constructing such Adlin . The input of Adlin is (PG, g1 , g2 , g, g1α , g2β , Tb ), where T0 = g α+β and T1 = g γ $ for α, β, γ ← Zq . The adversary Adlin itself sets up the keys for GBM signa$ ture scheme: sk1 = x ← Zq and pk1 = (g x , H, η = 70); and generates a simulated crs and a trapdoor t for the NIZK of the equations (1). Then Adlin

gives pk = (pk1 , g1 , g2 , crs) to D and begins to simulate the environment for the distinguisher as follows: $

$

– Signing query m: Adlin chooses the randomness r1 , r2 ← Zq and s ← {0, 1}η , and computes ρ ← H(m k u1 k u2 )1/(x+s) where u1 = g1r1 and u2 = g2r2 . It then lets u3 ← ρ · g r1 +r2 and returns σ = (s, u1 , u2 , u3 ) to D as the undeniable signature on m. The adversary Adlin internally keeps a record of the values ρ, and also lets Q ← Q ∪ {(m, σ)} for later use, where Q is an initially empty set of message-signature pairs appeared so far. – Convert query (m, σ): If (m, σ) ∈ Q then return the corresponding recorded ρ and a simulated NIZK proof πsim (of the equations (1)) produced by using the trapdoor t. If (m, σ) 6∈ Q then return ⊥ to D. The reasoning behind this simulation is that if (m, σ) 6∈ Q then the pair must be invalid since we are in Game 1. – Confirmation/disavowal query (m, σ): Like the simulation for convert query above, if (m, σ) ∈ Q then return 1 and run the confirmation protocol with D; otherwise return 0 and run the disavowal protocol. The protocols are simulatable using the rewinding technique [20] since they are zero-knowledge. – Challenge query m∗ : Let u∗1 ← g1α and u∗2 ← g2β . Choose s∗ ← {0, 1}η and ∗ then compute ρ∗ ← H(m∗ k u∗1 k u∗2 )1/(x+s ) and u∗3 ← ρ∗ · Tb . Return σ ∗ = (s∗ , u∗1 , u∗2 , u∗3 ) to D. Note that if b = 0 then Tb = T0 = g α+β , so that σ ∗ is a valid undeniable signature on m∗ . If b = 1 then Tb = T1 = g γ is a random value over G independent of the other values, so that σ ∗ is also randomly distributed over the signature space {0, 1}η × G3 . At the end, the distinguisher D outputs a bit b0 as a guess of the hidden bit b. The adversary Adlin in turn outputs b0 . The advantage of Adlin is exactly the probability D wins in Game 1, namely Advdlin G (Adlin ) = Pr[W1 ]. The running time of Adlin is O(qconf /dis ) times that of D due to the rewinding. $

5

Our proposed SCUS2

In this section, we describe our second scheme SCUS2 , which is also secure under the same assumptions as those of SCUS1 . The scheme SCUS2 uses the BonehBoyen [2] signature scheme as a component. We first recall the Boneh-Boyen signature scheme, basing on a pairing group PG = (G, GT , q = |G|, g, eˆ : G×G → GT ). Boneh-Boyen Signature Scheme. The (standard) signature scheme BB = (BB.Kg, BB.Sign, BB.Vrf) is as follows. $

$

BB.Kg(1κ ): Generate g0 ← G, x, y ← Zq , u ← g x , v ← g y , z = eˆ(g0 , g), and a target collision hash H : {0, 1}∗ → Zq . Return the verifying key pk1 = (g0 , u, v, z, H) and the signing key sk1 = (x, y). $

1

BB.Sign(sk1 , m): s ← Zq , ρ ← g0x+H(m)+ys ∈ G. Return (s, ρ) ∈ Zq × G as the signature on m.

BB.Vrf pk1 , m, (s, ρ) : Check that (s, ρ) ∈ Zq ×G and eˆ ρ, u · g H(m) · v s = z. Return 1 if all checks pass, else return 0. It was proven in [2] that the above signature scheme is suf-cma-secure under the strong Diffie-Hellman assumption. Our Proposal SCUS2 . The scheme, whose security analysis is given in Appendix D, is described as follows. KeyGen(1κ ): Run BB.Kg(1κ ) and LE.Kg(1κ ) to get (pk1 , sk1 ) and (pk2 , sk2 ). Return the public key pk = (pk1 , pk2 ) and the signing key sk = (sk1 , sk2 ). USign(sk, m): First, generate r1 , r2 ← Zq , and set u1 ← g1r1 , u2 ← g2r2 , 1 $ and m = m k u1 k u2 . Next, sign on m to get s, ρ = g0x+H(m)+ys ← BB.Sign(sk1 , m). Then, encrypt ρ in the ciphertext (u1 , u2 , u3 = ρ · g r1 +r2 ). Return the undeniable signature σ = (s, u1 , u2 , u3 ). Convert(sk, m, σ): The same as that of SCUS1 , except now checking whether (s, ρ) is a BB signature or not. Also, for all conversion, release sk2 = (x1 , x2 ), so that our proposal becomes a regular signature scheme equivalent to the BB scheme. Verify(pk, m, σ, cvt): The same as that of SCUS1 , except now checking whether (s, ρ) is a valid BB signature or not. Confirm: On common input pk, m, σ = (s, u1 , u2 , u3 ), the signer and the verifier execute n −1 PoK (a, b, c) : g a = uv s ∧ g1b = g2c = uv s g H(mku1 ku2 ) o −H(mku1 ku2 ) ∧ ua3 ub1 uc2 = g0 u3 . $

The first three equations show a = x+ys, b = −x1 (x + H (m k u1 k u2 ) + ys), and c = −x2 (x + H (m k u1 k u2 ) + ys), where x1 = dlogg1 g and x2 = dlogg2 g. With the values a, b, c, the final equation is equivalent to u3/(ux1 1 ux2 2 ) 1/(x+H(mku ku )+ys)

1 2 = g0 , showing that (m, σ) is valid. The zero-knowledge proof of knowledge can be implemented using known ZKIPs or NIZK proofs described in Sect. 3. Disavowal: On common input pk, m, σ = (s, u1 , u2 , u3 ), the signer sends a value U 6= 1 to the verifier, and both execute n PoK (d, e, f, r) : g d (ug H(mku1 ku2 ) v s )−r = 1 ∧ g1e (ug H(mku1 ku2 ) v s )r = 1 o ∧ g2f (ug H(mku1 ku2 ) v s )r = 1 ∧ U = ud3 · ue1 · uf2 · g0−r .

Intuitively, the first three equations give us d = r(x + H(m k u1 k u2 ) + ys), e = −rx1 (x + H(m k u1 k u2 ) + ys), and f = −rx2 (x + H(m k u1 k u2 ) + ys). Substituting these values to the last equation and noting that 1/(x+H(mku1 ku2 )+ys) U 6= 1 show u3 /(ux1 1 ux2 2 ) 6= g0 , and thus (m, σ) is invalid. The disavowal protocol is also implemented using known ZKIPs or NIZK proof in Sect. 3.

6

SCUS1,2 as anonymous signature schemes

The security notions for an anonymous signature scheme are unforgeability, anonymity, and unambiguity. The former two notions are met by SCUS1 and SCUS2 , as seen in the previous sections. The last notion, unambiguity, intuitively ensures that if one signer releases a converter to convert a signature, then nobody else can convert that signature. We formalize the notion as follows. Definition 7 (Unambiguity) A scheme SCUS satisfies unambiguity if for any poly-time adversary A, $ $ (pkA , skA ) ← KeyGen(1κ ), (pkB , skB ) ← KeyGen(1κ ) def $ Advunamb (mA , mB , σ, cvtA , cvtB ) ← A(pkA , skA , pkB , skB ) SCUS (A) = Pr Verify(pkA , mA , σ, cvtA ) = Verify(pkB , mB , σ, cvtB ) = 1 is negligible in the parameter κ. If the adversary chooses cvtA randomly and lets mA = mB , the above definition essentially becomes that of Saraswat and Yun [36]. On the other hand, the difference with Bellare and Duan [1] is that we require the users indeed hold secret keys corresponding to their public keys (which can be done via efficient zero-knowledge proofs of knowledge). Ours is stronger than [36], weaker than [1]. It is however worth noting that since our schemes are also undeniable signature ones, requiring knowledge of valid secret keys is normal; since otherwise a signer creates a fake pair (sk 0 , pk) (e.g., unrelated values), then all signatures become invalid with respect to pk, so the signer obviously can deny signatures he himself produced. We now consider the schemes SCUS1 and SCUS2 , and let the converters of the schemes be the randomness of the LE scheme. Theorem 8 The schemes SCUS1 and SCUS2 (releasing randomness for selective conversion) satisfy unambiguity, under the discrete-log assumption. In particular, for any adversary A, there is an adversary B such that dlog Advunamb SCUS1,2 (A) ≤ AdvG (B),

T(B) ≈ T(A). The full proof is given in Appendix E, but the intuition is as follows. From the input g, h of B, we set up the keys (pkA , skA ) in base g, and (pkB , skB ) in base h and run A. Any ambiguity will lead to the value dlogg (h), against the dlog assumption.

Acknowledgements We thank Dennis Hofheinz for communicating on the strong uf-cma security of the GBM scheme. Many thanks also go to Laila El Aimani, Jacob Schuldt, and

Ryo Kikuchi for fruitful discussions, which sharpened the knowledge of the first author on the topic. We are indebted to the anonymous reviewers for comprehensive comments. Parts of this work was done while the first author was at Tokyo Institute of Technology with a MEXT scholarship.

References 1. M. Bellare and S. Duan. New definitions and designs for anonymous signatures. Cryptology ePrint Archive, Report 2009/336, 2009. http://eprint.iacr.org/. 2. D. Boneh and X. Boyen. Short signatures without random oracles and the sdh assumption in bilinear groups. J. Cryptology, 21(2):149–177, 2008. 3. D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In M. K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in Computer Science, pages 41–55. Springer, 2004. 4. D. Boneh, B. Lynn, and H. Shacham. Short signatures from the weil pairing. J. Cryptology, 17(4):297–319, 2004. 5. J. Boyar, D. Chaum, I. Damg˚ ard, and T. P. Pedersen. Convertible undeniable signatures. In A. Menezes and S. A. Vanstone, editors, CRYPTO, volume 537 of Lecture Notes in Computer Science, pages 189–205. Springer, 1990. 6. C. Boyd and E. Foo. Off-line fair payment protocols using convertible signatures. In K. Ohta and D. Pei, editors, ASIACRYPT, volume 1514 of Lecture Notes in Computer Science, pages 271–285. Springer, 1998. 7. E. F. Brickell, editor. Advances in Cryptology - CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16-20, 1992, Proceedings, volume 740 of Lecture Notes in Computer Science. Springer, 1993. 8. J. Camenisch, N. Chandran, and V. Shoup. A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In A. Joux, editor, EUROCRYPT, volume 5479 of Lecture Notes in Computer Science, pages 351–368. Springer, 2009. 9. J. Camenisch and V. Shoup. Practical verifiable encryption and decryption of discrete logarithms. In D. Boneh, editor, CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 126–144. Springer, 2003. 10. D. Chaum. Zero-knowledge undeniable signatures. In EUROCRYPT, pages 458– 464, 1990. 11. D. Chaum and H. V. Antwerpen. Undeniable signatures. In G. Brassard, editor, CRYPTO, volume 435 of Lecture Notes in Computer Science, pages 212–216. Springer, 1989. 12. D. Chaum and T. P. Pedersen. Wallet databases with observers. In Brickell [7], pages 89–105. 13. I. Damg˚ ard and T. P. Pedersen. New convertible undeniable signature schemes. In EUROCRYPT, pages 372–386, 1996. 14. L. El Aimani. Toward a generic construction of universally convertible undeniable signatures from pairing-based signatures. In D. R. Chowdhury, V. Rijmen, and A. Das, editors, INDOCRYPT, volume 5365 of Lecture Notes in Computer Science, pages 145–157. Springer, 2008. 15. L. El Aimani. Efficient confirmer signatures from the “signature of a commitment” paradigm. Cryptology ePrint Archive, Report 2009/435, 2009. http://eprint. iacr.org/.

16. L. El Aimani. On generic constructions of designated confirmer signatures. In B. K. Roy and N. Sendrier, editors, INDOCRYPT, volume 5922 of Lecture Notes in Computer Science, pages 343–362. Springer, 2009. Full version available at http://eprint.iacr.org/2009/403. 17. L. El Aimani. Toward a generic construction of convertible undeniable signatures from pairing-based signatures. Cryptology ePrint Archive, Report 2009/362, 2009. http://eprint.iacr.org/. 18. M. Fischlin. Anonymous signatures made easy. In T. Okamoto and X. Wang, editors, Public Key Cryptography, volume 4450 of Lecture Notes in Computer Science, pages 31–42. Springer, 2007. 19. S. D. Galbraith and W. Mao. Invisibility and anonymity of undeniable and confirmer signatures. In M. Joye, editor, CT-RSA, volume 2612 of Lecture Notes in Computer Science, pages 80–97. Springer, 2003. 20. O. Goldreich and Y. Oren. Definitions and properties of zero-knowledge proof systems. J. Cryptology, 7(1):1–32, 1994. 21. J. Groth and A. Sahai. Efficient non-interactive proof systems for bilinear groups. In N. P. Smart, editor, EUROCRYPT, volume 4965 of Lecture Notes in Computer Science, pages 415–432. Springer, 2008. 22. D. Hofheinz and E. Kiltz. Programmable hash functions and their applications. In D. Wagner, editor, CRYPTO, volume 5157 of Lecture Notes in Computer Science, pages 21–38. Springer, 2008. 23. Q. Huang and D. S. Wong. New constructions of convertible undeniable signature schemes without random oracles. Cryptology ePrint Archive, Report 2009/517, 2009. http://eprint.iacr.org/. 24. K. Kurosawa and J. Furukawa. Universally composable undeniable signature. In L. Aceto, I. Damg˚ ard, L. A. Goldberg, M. M. Halld´ orsson, A. Ing´ olfsd´ ottir, and I. Walukiewicz, editors, ICALP (2), volume 5126 of Lecture Notes in Computer Science, pages 524–535. Springer, 2008. 25. K. Kurosawa and S.-H. Heng. 3-Move undeniable signature scheme. In R. Cramer, editor, EUROCRYPT, volume 3494 of Lecture Notes in Computer Science, pages 181–197. Springer, 2005. 26. K. Kurosawa and S.-H. Heng. Relations among security notions for undeniable signature schemes. In R. D. Prisco and M. Yung, editors, SCN, volume 4116 of Lecture Notes in Computer Science, pages 34–48. Springer, 2006. 27. K. Kurosawa and T. Takagi. New approach for selectively convertible undeniable signature schemes. In X. Lai and K. Chen, editors, ASIACRYPT, volume 4284 of Lecture Notes in Computer Science, pages 428–443. Springer, 2006. 28. F. Laguillaumie and D. Vergnaud. Short undeniable signatures without random oracles: The missing link. In S. Maitra, C. E. V. Madhavan, and R. Venkatesan, editors, INDOCRYPT, volume 3797 of Lecture Notes in Computer Science, pages 283–296. Springer, 2005. 29. J. Monnerat and S. Vaudenay. Generic homomorphic undeniable signatures. In P. J. Lee, editor, ASIACRYPT, volume 3329 of Lecture Notes in Computer Science, pages 354–371. Springer, 2004. 30. J. Monnerat and S. Vaudenay. Undeniable signatures based on characters: How to sign with one bit. In F. Bao, R. H. Deng, and J. Zhou, editors, Public Key Cryptography, volume 2947 of Lecture Notes in Computer Science, pages 69–85. Springer, 2004. 31. W. Ogata, K. Kurosawa, and S.-H. Heng. The security of the FDH variant of Chaum’s undeniable signature scheme. IEEE Transactions on Information Theory, 52(5):2006–2017, 2006.

32. T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes. In Brickell [7], pages 31–53. 33. L. T. Phong, K. Kurosawa, and W. Ogata. New rsa-based (selectively) convertible undeniable signature schemes. In B. Preneel, editor, AFRICACRYPT, volume 5580 of Lecture Notes in Computer Science, pages 116–134. Springer, 2009. 34. L. T. Phong, K. Kurosawa, and W. Ogata. Provably secure convertible undeniable signatures with unambiguity. Cryptology ePrint Archive, Report 2009/394, 2009. http://eprint.iacr.org/. Full version of this paper. 35. D. Pointcheval. Self-scrambling anonymizers. In Y. Frankel, editor, Financial Cryptography, volume 1962 of Lecture Notes in Computer Science, pages 259–275. Springer, 2000. 36. V. Saraswat and A. Yun. Anonymous signatures revisited. In J. Pieprzyk and F. Zhang, editors, ProvSec, volume 5848 of Lecture Notes in Computer Science, pages 140–153. Springer, 2009. 37. C.-P. Schnorr. Efficient signature generation by smart cards. J. Cryptology, 4(3):161–174, 1991. 38. J. C. N. Schuldt and K. Matsuura. An efficient convertible undeniable signature scheme with delegatable verification. Cryptology ePrint Archive, Report 2009/454, 2009. http://eprint.iacr.org/. 39. G. Yang, D. S. Wong, X. Deng, and H. Wang. Anonymous signature schemes. In M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, editors, Public Key Cryptography, volume 3958 of Lecture Notes in Computer Science, pages 347–363. Springer, 2006. 40. T. H. Yuen, M. H. Au, J. K. Liu, and W. Susilo. (Convertible) undeniable signatures without random oracles. In S. Qing, H. Imai, and G. Wang, editors, ICICS, volume 4861 of Lecture Notes in Computer Science, pages 83–97. Springer, 2007. 41. R. Zhang and H. Imai. Strong anonymous signatures. In M. Yung, P. Liu, and D. Lin, editors, Inscrypt, volume 5487 of Lecture Notes in Computer Science, pages 60–71. Springer, 2008.

A

A flaw in [40]

We first show that the scheme of Yuen et al [40] does not have invisibility in the sense of Definition 3. Let us briefly recall their undeniable signature scheme. A signature on a message m is of the form σ = (S1 , S2,1 , . . . , S2,k ) where k = 7 (see the final remark of the paper), and S1 = g2α U r ,

S2,j = Vjr (1 ≤ j ≤ k),

where α is in the secret key, r is random, while g2 , U, Vj are publicly-computable values. Notice that the undeniable signature scheme is not strongly unforgeable, since σ 0 = (S1 U t , S2,1 V1t , . . . , S2,k Vkt ) is also valid on the same m for an adversarily-chosen randomness t. (The randomness of the signature becomes r + t.) The attack on the scheme uses the same idea as the one we present at Sect.1.1. Namely, the adversary obtains the challenge σ (which is either random or valid) on its challenge query m, and then submits (m, σ 0 ) as above for selective conversion. If the answer is ⊥, then σ 0 is not valid on m, and so σ is not a signature on m. If the answer is not ⊥, σ 0 is valid on m, and so is σ. The attack is sufficient to

show that the scheme of [40] does not satisfy invisibility in the sense of Definition 3. However, Yuen et al [40] use a weaker (and not natural) definition of invisibility which disallows the convert query (m, σ 0 ) as above. In that case, the above attack does not apply, but the invisibility proof (Theorem 2 of [40]) is incorrect in that it makes use of strong unforgeability. Specifically, in the simulation of the confirmation/disavowal oracle, the following reasoning is used: Let L is the set of previously-appeared message-signature pairs at the signing oracle. Upon receiving a confirmation/disavowal query (m, σ), if (m, σ) ∈ L then return 1 and execute the confirmation protocol, otherwise if (m, σ) 6∈ L then return 0 and execute the disavowal protocol. The above simulation is unfortunately imperfect and incorrect, since if the adversary submits the above (m, σ 0 ) as a confirmation/disavowal query, then (m, σ 0 ) 6∈ L, but valid, while the simulation will return 0 and execute the disavowal protocol. In short, if the strong definition of invisibility (Definition 3) is used, the scheme in [40] is totally insecure; while if the weaker definition is used, then the invisibility proof provided in [40] is incorrect. In the full version of [40], Yuen et al have totally revised their scheme, which is based on the CDH and DLIN assumptions. However, the scheme is not as efficient as ours, let alone seems hard to meet unambiguity.

B

The NIZK proof for selective conversion

We present the concrete NIZK proof of the equations g = g1x1 , g = g2x2 , u3 /ρ = ux1 1 ux2 2 , used by the Convert algorithms of SCUS1 and SCUS2 . The proof is originally developed by Groth and Sahai [21], but here we follows the exposition of Camenisch, Chandran and Shoup [8] (Section 4.4). Recall that we work on a pairing group PG = (G, GT , q = |G|, g, eˆ : G × G → GT ). First, a common reference string, which must be honestly generated, and can $ be kept in the public key of the signer, is generated as follows: γ1 , γ2 , γ3 ← G and $ γ = (γ0 , γ00 , γ000 ) ← G3 . Let the common reference string be crs = (γ1 , γ2 , γ3 , γ), and define vectors γ1 = (γ1 , 1, γ3 ), γ2 = (1, γ2 , γ3 ). $ The prover, with secrets x1 , x2 , works as follows. It chooses random rij ← Zq , where 1 ≤ i, j ≤ 2, and computes δ1 = γ x1 · γ1 r11 · γ2 r12 = (γ0x1 γ1r11 , γ00x1 γ2r12 , γ000x1 γ3r11 +r12 ) ∈ G3 , δ2 = γ x2 · γ1 r21 · γ2 r22 = (γ0x2 γ1r21 , γ00x2 γ2r22 , γ000x2 γ3r21 +r22 ) ∈ G3 , where exponentiations and products of the vectors are understood (as usual) as exponentiations and products of the corresponding components. The NIZK proof is π = δ1 , δ2 , (g1r11 , g1r12 ), (g2r21 , g2r22 ), (ur111 · ur221 , ur112 · ur222 ) ∈ G12 .

Define E : G × G3 → G3T , which sends the tuple α, (α1 , α2 , α3 ) to the tuple eˆ(α, α1 ), eˆ(α, α2 ), eˆ(α, α3 ) , which is also a bilinear map. To verify whether π = δ1 , δ2 , (p1 , p2 ), (p01 , p02 ), (p001 , p002 ) ∈ G12 proves the equations, one checks whether the following holds E(g1 , δ1 ) = E(g, γ) · E(p1 , γ1 ) · E(p2 , γ2 ), E(g2 , δ2 ) = E(g, γ) · E(p01 , γ1 ) · E(p02 , γ2 ), E(u1 , δ1 ) · E(u2 , δ2 ) = E(u3 /ρ, γ) · E(p001 , γ1 ) · E(p002 , γ2 ). Derived from [8], the NIZK proof has perfect completeness, statistical soundness, and computational zero-knowledge (based on the decision linear assumption). The zero-knowledge is computational since a simulated crs is needed, and is created as follows: γ1 and γ2 are generated as above, but γ = γ1 t1 γ2 t2 for trapdoor t = (t1 , t2 ).

C

Proof of Theorem 5

Given a forger F against the proposed SCUS scheme, we build a forger F 0 against the ordinary GBM signature scheme. The input of F 0 is pk1 = (PG, X = g x , H, η = 70) and F 0 has a signing oracle GBM.Sign(sk1 = x, ·). F 0 itself chooses $ the keys for the linear encryption scheme sk2 = (x1 , x2 ) ← Zq2 , and pk2 = (g1 = g 1/x1 , g2 = g 1/x2 ). The forger F 0 gives pk = (pk1 , pk2 ) as the public key of the SCUS scheme to F, and begins to simulate the environment for the SCUS forger as follows: – Signing query m: F 0 chooses r1 , r2 ← Zq and sets u1 ← g1r1 , u2 ← g2r2 , and then calls m k u1 k u2 to its own signing oracle GBM.Sign(sk1 = x, ·) to obtain the GBM signature (s, ρ). F 0 then returns the undeniable signature (s, u1 , u2 , u3 = ρ · g r1 +r2 ) to F. $

– Confirmation/disavowal query (m, σ): Parse σ as (s, u1 , u2 , u3 ) ∈ {0, 1}η × G3 . Decrypt (u1 , u2 , u3 ) to get ρ (since F 0 has sk2 ), and then check whether (s, ρ) is a valid GBM signature on m k u1 k u2 or not. If it is the case, return 1 and run the confirmation protocol with F (acting as a cheating verifier); otherwise, return 0 and run the disavowal protocol with F accordingly. The protocols are simulatable using the rewinding technique [20] since they are zero-knowledge. – Convert query (m, σ): Parse σ = (s, u1 , u2 , u3 ) ∈ {0, 1}η × G3 . Let ρ ← u3 /(ux1 1 ux2 2 ). If (s, ρ) is a valid GBM signature on m k u1 k u2 , then compute the NIZK proof π (using secrets x1 , x2 ) of the equations (1), and finally return the converter (ρ, π). Otherwise, if (s, ρ) is not a valid GBM signature on m k u1 k u2 , then return ⊥. At the end, the forger F outputs m∗ , σ ∗ = (s∗ , u∗1 , u∗2 , u∗3 ) . If F succeeds, (m∗ , σ ∗ ) is a valid pair of the SCUS scheme, we then have u∗3 ∗ x (u1 ) 1 (u∗2 )x2

1

= H(m∗ k u∗1 k u∗2 ) x+s∗ .

u∗ 3 Based on the above equation, F 0 outputs m∗ k u∗1 k u∗2 , (s∗ , (u∗ )x1 (u as ∗ )x2 ) 1 2 a forgery of the ordinary GBM signature scheme. It is clear that the forgery is valid, and we just need to prove that it is different from all message-signature pairs appeared at the oracle GBM.Sign(sk1 = x, ·). By the contrary, suppose that u∗ 3 m∗ k u∗1 k u∗2 , (s∗ , (u∗ )x1 (u = m k u1 k u2 , (s, ρ) , a previously-appeared ∗ )x2 ) 1 2 pair at the signing oracle of F 0 . Thus m = m∗ , u1 = u∗1 , u2 = u∗2 , s = s∗ , and furthermore u∗3 = ρ · (u∗1 )x1 (u∗2 )x2 = ρ · (u1 )x1 (u2 )x2 = u3 , and hence m∗ , σ ∗ = (s∗ , u∗1 , u∗2 , u∗3 ) = m, σ = (s, u1 , u2 , u3 ) , which is a contradiction to the success of F. The running time of F 0 is O(qconf /dis ) times that of F due to the rewinding used in the simulation of the confirmation and disavowal protocol.

D

Security of SCUS2

We consider the securities of SCUS2 , which are ensured by the following theorems. Theorem 9 (Strong unforgeability) The SCUS2 scheme is strongly unforgeable if the signature scheme BB is suf-cma-secure. Moreover, given a forger F against SCUS2 , there exists another forger F 0 against the BB signature scheme such that orge suf −cma Advsf (F 0 ), SCUS2 (F) ≤ AdvBB T(F 0 ) = O(qconf /dis ) · T(F), where qconf /dis is the total number of confirmation/disavowal queries, and T expresses the running time. Proof. The proof is essentially the same as that of Theorem 5, so we just outline the main ideas here. The forger F 0 first generates the keys (pk2 , sk2 ) for the LE scheme, which will be used for the simulation of the convert and confirmation/disavowal oracles. For answering signing queries from F, the forger F 0 uti- lizes its own signing oracle. Finally, F outputs the pair m∗ , σ ∗ = (s∗ , u∗1 , u∗2 , u∗3 ) satisfying 1 ∗ ∗ u∗3 x+H(m∗ ku∗ 1 ku2 )+ys = g , 0 ∗ ∗ (u1 )x1 (u2 )x2 so that F 0 in turn outputs ∗ ∗ ∗ m k u1 k u2 , s∗ ,

u∗3 (u∗1 )x1 (u∗2 )x2

as the forgery in the strong sense of the BB signature, completing the proof.

Theorem 10 (Strong invisibility) The SCUS2 scheme satisfies strong invisibility. Moreover, given a distinguisher D against SCUS2 , there exist Adlin and a forger F against SCUS2 such that sf orge dlin Advinv SCUS2 (D) ≤ AdvG (Adlin ) + AdvSCUS2 (F),

T(Adlin ) = O(qconf /dis ) · T(D), and T(F) ≈ T(D), where T expresses the running time, and qconf /dis is the total number of confirmation/disavowal queries D makes. Proof. The proof follows along the line of that of Theorem 6, except that Adlin generates the keys for the BB signature scheme, and uses them to simulate the signing and challenge oracle for D. The rest remains the same.

E

Unambiguity of SCUS1,2

We begin to show unambiguity for the scheme SCUS2 (choosing to release LE randomness as converter) by proving dlog Advunamb SCUS2 (A) ≤ AdvG,PG (B),

T(B) ≈ T(A). Given A against unambiguity of SCUS2 , we build B against the dlog assumption on G of PG. The adversary B gets (g, h) ∈ G2 and the description of the pairing group PG as input, and needs to output dlogg (h). Using the generator g and PG, B sets up (pkA , skA ) for user A where the value g0 of the Boneh-Boyen signature $ scheme is set to g a for a ← Zq . It does the same for (pkB , skB ) except that the value g0 of the Boneh-Boyen signature scheme is set to h. The adversary B runs A on input (pkA , skA , pkB , skB , PG). A returns the tuple (mA , mB , σ, cvtA , cvtB ), where σ = (s, u1 , u2 , u3 ), the converters cvtA = (r1A , r2A ) and cvtB = (r1B , r2B ) satisfying a

u3 = g xA +HA (mA ku1 ku2 )+yA s · g r1A +r2A 1

u3 = h xB +HB (mB ku1 ku2 )+yB s · g r1B +r2B The values (xA , yA ) and (xB , yB ) are respectively in skA and skB , set up by B. The above equations are thanks to Verify(pkA , mA , σ, cvtA ) = Verify(pkA , mA , σ, cvtA ) = 1. Note that we have the Boneh-Boyen signatures in base g in the first equation and h in the second one. From the above equations, it is clear that B can compute dlogg (h), ending the proof for SCUS2 . We proceed with unambiguity of SCUS1 . Similarly with the above, we have the equations 1

u3 = HA (m) xA +s · g r1A +r2A 1

u3 = HB (m) xB +s · g r1B +r2B

Note that now HA , HB are not arbitrary, but specific hash functions, given as 160 hash(X)[i] hi for Y ∈ {A, B}, h0 , . . . , h160 ∈ G and collisionHY (X) = h0 Πi=1 resistant hash : {0, 1}∗ → {0, 1}160 , where hash(X)[i] denotes the i-th bit of the hash value. Again, the idea is to set up the base g for HA and the base h for HB , which can be easily done by the adversary B. We omit further details. It is interesting to ask whether our schemes with NIZK converters satisfy unambiguity or not. They seem to meet the notion, but we unfortunately cannot prove, so leaving it as an open problem.